BUSINESS RISK A practical guide for board members A DIRECTOR’S GUIDE
Dec 14, 2015
BUSINESS RISKA practical guide for board members
BUSINESS RISK
BUSINESS RISK: A PRACTICAL GUIDE FOR BOARD MEM
BERSA DIRECTOR’S GUIDE
A practical guide for board members
In a world of increasing complexity anduncertainty, the need for companies todevelop robust risk management strategiesis greater than ever. Yet many fail to do so,either because they are overwhelmed by thesize of the task or because they are ill-equipped to tackle it.
Responsibility for business risk oversight liessquarely with board members.
This guide will help directors – both executiveand non-executive, in large and smallcompanies – to develop an effective approachto managing business risk. Key topics itcovers include:
•The board’s distinctive role in risk oversight•Aligning risk management and strategy•Establishing risk appetite and tolerance•Board composition and behaviour•Interaction with stakeholders•Directors’ personal risks
This guide is part of the Director’s Guide series,published by the Institute of Directors,providing directors with clear, practical adviceon key business issues, with real life case studies.
£9.95
A DIRECTOR’S GUIDE
Risk Cover_v6_Layout 1 29/05/2012 12:46 Page 1
BUSINESS RISKA PRACTICAL GUIDE FOR BOARD MEMBERS
Editor, Director Publications Ltd: Lysanne Currie
Consultant Editor: Tom Nash
Art Editor: Chris Rowe
Production Manager: Lisa Robertson
Head of Commercial Relations: Nicola Morris
Commercial Director: Sarah Ready
Managing Director: Andrew Main Wilson
Chairman: Simon Walker
Published for the Institute of Directors, Airmic Ltd, Chartis Europe Ltd,
PricewaterhouseCoopers LLP and Willis UK Ltd by
Director Publications Ltd, 116 Pall Mall, London SW1Y 5ED
020 7766 8910
www.iod.com
©Copyright Director Publications Ltd. June 2012
A CIP record for this book is available from the British Library
ISBN 9781904520-80-1
Printed and bound in Great Britain
Price £9.95
The Institute of Directors, Airmic Ltd, Chartis Europe Ltd,
PricewaterhouseCoopers LLP, Willis UK Ltd and Director Publications Ltd accept
no responsibility for the views expressed by contributors to this publication.
Readers should consult their advisers before acting on any issue raised.
INSTITUTE OF DIRECTORSThe IoD is the leading organisation supporting and representing business
leaders in the UK and internationally. One of its key objectives is to raise the
professional standards of directors and boards, helping them attain high levels of
expertise and effectiveness by improving their knowledge and skills.
AIRMICAirmic represents corporate risk managers and insurance buyers. Its
membership includes two-thirds of the FTSE 100, as well as many smaller
companies. The association organises training for its members, seminars,
breakfast meetings and social occasions. It regularly commissions research and
its annual conference is the leading risk management event in the UK.
CHARTISChartis is a world-leading property-casualty and general insurance organisation
serving more than 70 million clients around the world. With one of the industry’s
most extensive ranges of products and services, deep claims expertise and great
financial strength, Chartis enables its clients to manage risk with confidence.
PWCAs the UK's leading provider of integrated governance, risk and regulatory
compliance services, PwC specialises in helping businesses and their boards
create value in a turbulent world. Drawing from a global network of specialists in
risk, regulation, people, operations and technology, PwC helps its clients to
capitalise on opportunities, navigate risks and deliver lasting change through
the creation of a risk-resilient business culture.
WILLISWillis Group Holdings plc is a leading global insurance broker. Through its
subsidiaries, it develops and delivers professional insurance, reinsurance, risk
management, financial and HR consulting and actuarial services to corporations,
public entities and institutions around the world. Willis has more than 400
offices in nearly 120 countries, with a global team of some 17,000 associates.
ABOUT THE SPONSORS
2
3
PART 1: THE ISSUESChapter 1 7 A world of dangerNicolas Aubert, UK Managing Director,Chartis
Chapter 2 13 The board’s distinctive role in risk oversightDr Roger Barker, Head of CorporateGovernance, Institute of Directors
Chapter 3 19 Key challenges facing boardsin risk oversightAlpesh Shah, Actuarial Risk PracticeDirector, and Richard Sykes, Governance,Risk & Compliance UK Leader, PwC
PART 2: THE SOLUTIONSChapter 4 25 The board’s role in establishing the right corporate cultureRoger Steare, Professor of OrganisationalEthics at Cass Business School, City University
Chapter 5 33 Risk and strategyAlpesh Shah and Richard Sykes, PwC
Chapter 6 41Defining the risk appetite/risk tolerance of the organisationTom Teixeira, Practice Leader, GlobalMarkets International, Willis Group
Chapter 7 47 Board compositionSir Geoffrey Owen, Senior Fellow, The London School of Economics andPolitical Science
Chapter 8 53 The boardroom conversationAlison Hogan, Managing Partner, AnchorPartners, with Ronny Vansteenkiste, SVP,Group Head Talent Management &Organisation Development, Willis Group
Chapter 9 61 Information and the boardDavid Jackson, Company Secretary, BP
Chapter 10 67 Interaction with shareholdersDavid Pitt-Watson, Chair, Hermes FocusAsset Management
Chapter 11 73 The personal risks facing directorsGrant Merrill, Chief Underwriting Officer,Commercial Institutions, Financial Lines,Chartis
Chapter 12 79 The final wordJohn Hurrell, Chief Executive, Airmic
Case studies Lessons from major risk events arehighlighted throughout the Guide. For details, see page 12
CONTENTS
BUSINESS RISKA PRACTICAL GUIDE FOR BOARD MEMBERSIntroduction: Simon Walker, Director General, Institute of Directors
Foreword: Sir John Parker, Chairman, Anglo-American
4
BOARDS AND RISK Simon Walker, Director General, Institute of Directors
In its analysis of some of the most significant corporate disasters of recent years,
the recent study, Roads to Ruin, identifies a number of determinants of corporate
failure (see page 12). The key lesson that emerges is that the board of directors is
a crucial mechanism through which risks should be identified and managed.
Without a competent board, manageable difficulties are more likely to
escalate out of control. There is a greater chance that the organisation will
experience major losses, damage to its reputation, or disappear altogether.
It is clear from these cases – and others that emerged during the recent
financial crisis – that risk management is a core task for the board of directors or
supervisory board. Risk management cannot simply be delegated to specialist
risk managers or even the CEO. It is simply too important. Moreover, many
aspects of risk management require a strategic perspective that is beyond the
remit of the typical risk management department.
A common problem is for non-executive or supervisory board members to
face major challenges in securing adequate flows of objective information about
the performance of the business. In particular, a ‘glass ceiling’ that hinders
communication between internal monitoring departments (such as risk
management, internal audit or compliance) and the board can prove a fatal flaw.
In contrast, a well-informed and independently-minded board can play a
crucial role in defining the risk tolerance of the organisation. It is also well
positioned to spot the emerging risks that can so easily be overlooked or
discounted by managers immersed in the day-to-day operation of the enterprise.
Although this guide is particularly aimed at enhancing the effectiveness of
non-executive directors, senior executives will also benefit from a better
understanding of how their own risk management activities should interact with
the board in a manner that promotes the overall success of the organisation.
There are few aspects of a board's functioning that are as crucial to long-term
corporate success as risk management. For directors who wish to avoid the
mistakes of past corporate failures, this guide will be a valuable reference tool.
INTRODUCTION
FOREWORD
5
INSIGHT AND ADVICE Sir John Parker, Chairman, Anglo-American
Controlled risk-taking lies at the heart of all commercial activity. However,
boards can fail to manage risk for a variety of reasons.
Some downside risks may emerge from within the organisation as a result of
operational failures. But many corporate disasters occur due to the weakness of
the board itself. The board has the potential to be both a source of risk to the
organisation as well as an effective means of risk mitigation.
This practical new guide for directors is designed to ensure that your
organisation does not become the next case study in the annals of poor risk
management. Various sources of boardroom risk are addressed. In some cases,
individual directors may simply lack the necessary expertise or experience to
understand the business in all its complexity. In other instances, a charismatic or
overbearing CEO may dominate the boardroom conversation. Even a period of
corporate success can, ironically, often prove to be a source of danger. It may
make it difficult for the board to challenge or criticise the status quo. The board
may fall victim to the delusions of ‘groupthink’ or overconfidence.
It is all too easy for directors to discount the significance of these and other
boardroom pitfalls: “It will never happen to us.” History has shown, however,
that such issues can easily arise on boards, even among directors of high calibre.
The intransigence of such problems is both a reflection of the complexities of
human behaviour and an increasingly challenging business environment.
By bringing together the insights of leading experts in corporate governance
and risk management, this publication seeks to help shape the risk management
agenda of board members. In particular, it will assist chairmen and non-
executive directors to hit the ground running in their risk management role, and
rapidly ask the right questions of the CEO and the rest of the management team.
I commend this practical and insightful new publication as a significant
contribution to the risk management awareness of directors across a wide range
of organisations.
CONFIDENCE is on the agenda.
Chartis Europe Limited is authorised and regulated by the Financial Services Authority (FSA number 202628). This information can be checked by visiting the FSA website (www.fsa.gov.uk/
Pages/register<http://www.fsa.gov.uk/Pages/register>). Registered in England: company number 1486260. Registered address: The Chartis Building, 58 Fenchurch Street, London, EC3M 4AB.
Insurance solutions
from Chartis.Today’s directors and officers
and multinational clients face
more risk than ever, due to a growing
breadth of international regulations
and heightened enforcement.
Having the right coverage is critical.
At Chartis, we have an unparalleled global
network offering cutting-edge insurance
solutions built to meet the challenges of risk
today—and will keep innovating to meet the
challenges of tomorrow. Learn more at
www.chartisinsurance.com/uk
7
A WORLD OF DANGER
Nicolas Aubert, UK Managing Director, Chartis
SNAPSHOT■ New risks are constantly emerging, including the dangers of doing business in
global markets.■ Many board members fail to recognise the dangers they face personally.■ Different-sized companies face varying sizes and types of risk. ■ Managing risk is not just about buying insurance. ■ With the right approach from the board, most risks can be successfully managed
and mitigated.
BALANCING RISK AND REWARDThe balance between risk and reward is the very essence of business: without
taking risks companies cannot generate profits. But, as later chapters in this
Guide will explain, there is a world of difference between calculated risks, taken
with foresight and careful judgement, and risks taken carelessly or unwittingly.
The starting point for boards is to oversee risk in relation to their organisation’s
risk ‘appetite’ and ‘tolerance’ and to align their approach to risk with its broader
strategic aims.
In a world of increasing complexity and uncertainty, companies must build on
this foundation to manage risk more rigorously than ever.
A few fall victim to ‘black swan’ events – catastrophic external factors that are
entirely outside the company’s control – so rare and random that they challenge
the ability of organisations to plan for them. But many simply fail to understand
the extent of the dangers to which they are exposed. Board members are
particularly culpable, often underestimating the risks that their organisations
run, while also being blind to the dangers they face in a personal capacity, which
can result in financial penalties, criminal actions and ruined reputations.
(Chapter 11 of the Guide focuses specifically on the personal risks faced by
directors and officers.)
CHAPTER 1
8
RISKS IN THE REAL WORLDSome traditional risks remain common to all businesses, including risks related
to ‘bricks and mortar’, product liability and employer’s liability, among others.
Beyond these general business risks, different types and sizes of company tend to
face different sorts of risk. For example, small companies are especially
vulnerable to cashflow and credit risk, historically two of the greatest causes of
business failure when mishandled. In today’s difficult economic climate, small
firms are also more vulnerable to threats such as fraud, crime and vandalism.
The risk profile for mid-corporates too, has changed in response to tough
times. A 2010 report by Chartis, Risk and Opportunity in the Mid Corporate Sector,
concluded that companies of this size (£5m-£50m turnover) perceive the ‘post-
crisis’ world as a much more uncertain place. Over 80% think that risks now seem
more real – in terms of the seriousness of the impact they could have on their
business – compared with five to 10 years ago, while a similar majority believe
there are also more risks to worry about.
The research showed their top concerns as:
■ Safety of physical assets (30% of respondents)
■ Public liability (28%)
■ Employer’s liability (25%)
■ Debtors/bad debts (21%)
■ Professional indemnity and negligence (16%)
■ Crime and vandalism (14%)
■ Staff turnover (14%)
■ Product liability (14%)
■ Business interruption (14%)
■ Volatile global markets (12%)
EMERGING RISKSThe report also noted which of these risks have shot up the agenda as a result of
the economic downturn. They include, not surprisingly, concerns about debtors
and bad debts, and about over-reliance on a few suppliers. Similarly, professional
indemnity and negligence-related risks have become much more of a worry.
A WORLD OF DANGER
Other risks have grown in recent years, threatening companies of varying
sizes. Among the most dangerous are ‘cyber risks’. Any company dealing with
electronic data, whether on mobile devices, computers, servers or online, faces
such risks, which range from loss of information on a single laptop to the threats
posed by cloud computing. Businesses may also face issues regarding denial of
service or defacement and disruption to their web presence. According to the
Government’s Office of Cyber
Security and Information
Assurance, cyber crime – which
ranges from petty fraud to
competitor theft of intellectual
property and commercial
information – now costs UK
businesses £21bn a year.
Cyber risks are evolving and becoming more complex. Where organisations
have in the past invested in security and protection for their physical assets,
consideration now needs to focus on network and system safeguards.
INTERNATIONAL RISKSRecent years have seen the growing globalisation of business – and where
business goes, risk goes with it. Multinationals, which can include any company
with an overseas presence – not just the global giants – face a wide range of
potential dangers.
All multinationals, whatever their size, face supply chain risk. Today’s super-
efficient manufacturing practices exacerbate it, with supply chains so
streamlined that if anything goes wrong companies are very exposed. This was
highlighted by the sight of workers in the UK car industry – both in large plants
and in dependent smaller firms – being put on short time when Japan’s
earthquake and tsunami choked off component supplies. In another recent
example, supplier issues saw Marks and Spencer fall short of stock in some of its
best-selling clothing lines, causing a dent in its profits and its share price.
A worthwhile safeguard is to check out, through certification or other means,
the insurance coverage purchased by key suppliers. It is one thing to wait for
9
A WORLD OF DANGER
Multinationals, which can include any company with anoverseas presence, face a wide range ofpotential dangers
insurance payments to be made against a supplier having suffered a loss; it is
something else to have to source an unknown/untested supplier at short notice
because the incumbent isn’t insured and is unable to trade.
Trade credit risks (the risks to a company’s accounts receivables) are an issue
for a wide range of UK companies, including mid-corporates as they expand into
new territories.
In more unstable territories, political risks are always an issue to consider.
What happens if a government unilaterally cancels a contract, or even
nationalises a company – as has been seen in Argentina recently, with the state
taking control of Spanish oil company YPF Repsol. Politically motivated violence
can result in property or collateral damage for a company, and problems can
occur when equipment or currency cannot be repatriated.
There are other newly-established risks too, a prime example being
environmental liability. In line with the EU’s Environmental Liability Directive
(ELD), many European countries have recently introduced legislation that
requires companies to either buy environmental insurance or provide alternative
guarantees to fund the cost of damage to the environment that they may cause.
The ELD introduces two types of liability: ‘strict’ – in respect of environmental
damage caused by operators who professionally conduct potentially hazardous
activities; and ‘fault-based’ – in respect of environmental damage to protected
species and natural habitats from all other occupational activities. The
legislative changes affect different companies in different ways, but it is
important that all companies review if and how they are affected.
A key issue is the high degree of regulation of insurance, with significant
differences in various countries. It is essential that multinational companies
meet the tax and regulatory requirements in each jurisdiction in which they
operate. A prime example would be in the rapidly growing ‘BRICs’ (Brazil, Russia,
India and China). UK-written policies are often deemed ‘non-admitted’ in the
BRICs, so UK companies need to purchase cover in the local jurisdiction.
For insurable risk it is prudent for firms to choose an insurer whose
international presence matches their own – not only now, but also in the future if
looking to expand. Local knowledge and business relationships, commonality of
languages spoken and understanding of the local markets is not to be
10
A WORLD OF DANGER
underestimated. A global broker should also be considered to bring a local
tripartite relationship together to ease the resolution of issues.
REPUTATIONAL RISKSReputational risk too has grown in importance. In a 2011 report from the
Financial Reporting Council (FRC), Boards and Risk, participants from major
companies did not consider reputational risk to be a separate category, but a
consequence of failure to manage
other risks successfully. But the
report notes that the ‘grace period’
that a company has to deal with a
problem before it becomes
reputationally – and subsequently
financially – damaging, has been
sharply reduced. Developments in
media and communications, including social networking, mean that news of
failures or problems now often has an almost instantaneous impact locally and
internationally.
RISKS CAN BE MANAGEDThe ‘bottom line’ for businesses is that all of these risks are both identifiable
and manageable. Through ‘gap analysis’ you can identify risks that need
mitigating. For those risks that you feel you cannot retain, the next step is to
consider transferring them. Some may be passed to suppliers, customers or
sub-contractors through legal and contractual arrangements, while for others
risk transfer will involve the purchase of insurance.
The need to develop robust risk management strategies is evident. Used
effectively, they enable businesses to identify many potential threats and to
implement plans for mitigation. They also help to reduce costs and insurance
premiums. By taking a systematic approach to identifying, managing and
exploiting risk, many more UK businesses can build a stable, successful future.
11
A WORLD OF DANGER
By taking a systematicapproach to managingbusiness risk, manymore UK businessescan build a stable,successful future
12
A WORLD OF DANGER
Roads to Ruin, A Study of Major Risk Events: Their Origins, Impact and Implications, a2011 report by Cass Business School on behalf of Airmic, highlights seven key risk areasthat are potentially inherent in all organisations. They can pose a real threat to any firm,whatever the size, which fails to recognise and manage them. They are:
1. Board skill and NED control: risks arising from limitations in board skills andcompetence and on the ability of the NEDs effectively to monitor and, as necessary,control the executive arm of the company;2. Board risk blindness: risks from board failure to recognise risks inherent in thebusiness, including risks to business model, reputation and ‘licence to operate’, to thesame degree that they engage with reward and opportunity;3. Inadequate leadership on ethos and culture: risks from a failure of board leadershipand implementation on ethos and culture;4. Defective internal communication: risks from the defective flow of importantinformation within the organisation, including up to board level;5. Risks from organisational complexity and change: including risks followingacquisitions;6. Risks from incentives: including effects on behaviour resulting from both explicit andimplicit incentives;7. Risk ‘glass ceiling’: risks arising from the inability of risk management and internalaudit teams to report to and discuss, with both ‘C-suite’ executives and NEDs, potentialdangers emanating from higher levels of their organisation’s hierarchy, involving forinstance, ethos, behaviour, strategy and perceptions.
Case studies from Airmic’s Roads to Ruin report, illustrating many of these seven riskareas, are highlighted on pages 32, 39, 52, 60 and 72.
ROADS TO RUIN
13
THE BOARD’S DISTINCTIVEROLE IN RISK OVERSIGHTDr Roger Barker, Head of Corporate Governance, Institute of Directors
SNAPSHOT■ A key rationale for the board is to ensure that company decision-making is
undertaken in the interests of all relevant stakeholders, not just company insiderssuch as management or dominant shareholders.
■ The board’s biggest contribution to effective risk management is likely to be its choice of chief executive. But it also plays a key role in defining the company’s risktolerance and risk culture, and in identifying major risks that may have beenoverlooked or discounted by management.
■ The board’s main ongoing task is to perform risk oversight, so it needs to satisfyitself that effective risk management is being practised at all levels of theorganisation.
WHAT IS THE POINT OF THE BOARD OF DIRECTORS?A board of directors is a legal requirement for any corporate enterprise. However,
the justification for a board of directors in a modern quoted company owes more
to considerations of risk than the need to comply with regulation or statute.
In particular, the board can be seen as a direct response to a key risk posed by
the structure of the modern public company: that decision-making becomes
dominated by company insiders – particularly the chief executive and top
management – whose interests are not necessarily aligned with those of the
company’s stakeholders (particularly its shareholders). A large number of
corporate disasters over the last two decades have highlighted the saliency of
this risk.
The board of directors exists as a distinct layer of governance, sandwiched
between management and the company’s shareholders. In most countries,
national corporate governance codes or regulations stipulate that a majority of
board members should be independent non-executive directors. In addition, it is
increasingly seen as best practice for the board to be chaired by an independent
CHAPTER 2
14
chairman whose role and responsibilities are entirely separate from those of the
chief executive. In European countries with a dual board structure (for example,
Germany, the Netherlands and Switzerland) greater board independence is
sought by removing executives from membership of the board altogether (to
form the so-called supervisory board).
The motivation behind these structural requirements is to encourage the
board to think and act as an independent body, particularly in relation to
company management but also vis-à-vis any large shareholders that might
dominate the company’s agenda. In comparison with a board dominated by
company insiders, such a board is seen as being better able to make decisions
that are in the broader interests of the company as a whole.
It has not always been like this. Thirty years ago, the boards of most large UK
and US companies were almost
entirely populated by senior
managers. And outside the UK and
US, it remains common for directors
to be delegated to the boards of
listed companies as representatives
of dominant shareholders.
However, a governance structure
without an independently-minded board creates substantial risks for the
company and its stakeholders. A much discussed problem of corporate
governance – commonly referred to as ‘the agency problem’ – arises from the
risk that the executives hired to run the company will have a different business
agenda to that of the shareholders.
The risk of simply leaving management to its own devices is particularly acute
in stockmarket-listed companies due to the ‘laissez-faire’ governance approach
of many modern institutional shareholders. In contrast to the shareholders of
privately-held firms, such investors are distant from the company. Their
investment portfolios typically consist of small percentage equity positions in
hundreds of individual stocks. As a result their incentive to actively monitor the
risk-taking activities of management is limited.
Furthermore, they typically have no appetite to step ‘inside’ the company,
THE BOARD’S DISTINCTIVE ROLE IN RISK OVERSIGHT
First and foremost, theboard’s most importantcontribution to effectiverisk management islikely to be its choice ofchief executive
and serve on boards themselves, due to the constraints that this would impose on
their ability to buy and sell the company’s shares.
Reflecting their own limitations as governance monitors, institutional
shareholders have been key proponents of more independent boards over the
last couple of decades. From their perspective, a key role of the board is to act as a
neutral arbiter of company interests. This gives them greater confidence to
invest as minority shareholders.
More generally, an independently-minded board should be a source of
reassurance to all stakeholders. It reduces the risk that company decision-
making is dominated by one group or one person. It helps ensure that the
company’s activities are subject to objective challenge and risk-analysis by a
second group of independent experts. The board provides, in essence, the
ultimate risk management mechanism at the apex of the company structure.
THE BOARD’S RISK OVERSIGHT RESPONSIBILITIESOnce it has been established, the board has a number of unique roles with respect
to risk management, which are distinct from the risk management activities of
the top executive team.
First and foremost, the board’s most important contribution to effective risk
management is likely to be its choice of chief executive. If the wrong person is
appointed to lead the company, then all of the board’s subsequent efforts to
contribute to effective risk management will be severely compromised.
In cases where the chief executive’s approach to risk is not serving the
interests of the company, the board has an equally important role in replacing
him or her with a more appropriate candidate. This may not be a pleasant task.
But it is likely to be the single most important way that the board can contribute
to effective risk management.
A second basic issue for the board involves defining the nature and extent of
the risks that the company is willing to take. This is not just a question of listing
activities that the company should undertake or avoid. It is also about defining
an attitude to risk, a ‘risk culture’, that makes sense for the company as a whole.
Establishing the risk tolerance of the company should always be regarded as a
specific board responsibility. It should not be set by management or left to
15
THE BOARD’S DISTINCTIVE ROLE IN RISK OVERSIGHT
emerge by default without explicit discussion by directors.
A third area in which the board is well-placed to play a meaningful role is in
identifying risks to the organisation that the chief executive – for a variety of
reasons – may have overlooked or discounted. In more extreme cases, they could
be risks that management is actually attempting to conceal. Success in this role
will depend on the board being able to combine an independent critical mindset
with relevant business expertise.
Beyond these distinctive board level responsibilities, it is important for
directors to recognise that most risk management activities will not – and should
not – be directly undertaken by the board. Given the board’s relatively limited
resources, this would be an impractical task. Most risk management will be
performed by the CEO, individual line managers and specialist control
departments such as internal control, compliance, risk management, internal
audit and business continuity.
However, the board does have a key role to play in the ‘oversight’ of these risk
management activities. It should regularly satisfy itself that the company has
effective risk management and control systems in place. Furthermore, directors
should take steps to establish direct communication with relevant risk
management units and external sources of information (including possible
access to whistleblowers) in order to ensure that the board does not become
insulated from the reality of the company’s situation.
Directors also have a more informal role in ‘taking the temperature’ of the
organisation in order to clarify if the board’s chosen risk culture is being reflected
in the behaviour and attitudes of managers and employees on the ground.
A practical issue for the board is whether to delegate some of its risk oversight
activities to committees of smaller sub-groups of directors. As a bare minimum,
most large companies nowadays have audit, nomination and remuneration (or
compensation) committees, which are often mandated by regulation or national
corporate governance codes.
However, other types of committee may also be established to focus on
specific risk issues, for example, health and safety, corporate social
responsibility, or environmental issues. Overall responsibility for risk oversight
should always remain with the board as a whole. However, a board committee
16
THE BOARD’S DISTINCTIVE ROLE IN RISK OVERSIGHT
may assist overall board functioning by allowing a more detailed consideration
of important categories of risk.
An issue that has arisen in recent years concerns the potential establishment
of a designated risk committee. Risk committees are now a common feature of
many financial institutions. In that context, they are typically engaged in
overseeing the forward-looking risks arising from exposure to various kinds of
financial asset. However, risk committees are viewed as less relevant to non-
financial companies. In such enterprises, forward-looking risk assessment is
normally seen as a core activity of the board as a whole.
In summary, the board exists to
ensure that the company fulfils the
interests of its key stakeholders. In
such a role, it is an intrinsic part of
the company’s overall risk
management structure. However,
the challenges facing directors in
this task are considerable. The rest
of this book provides insight into how the board can rise to these challenges, and
help ensure that the company’s mission is not derailed by the impact of
inappropriate or unforeseen risks.
17
THE BOARD’S DISTINCTIVE ROLE IN RISK OVERSIGHT
It is important fordirectors to recognisethat most riskmanagement activitieswill not – and should not– be directly undertakenby the board
www.pwc.co.uk/riskresilience
Creating value in a turbulent world.
We help our clients to align their risk and business strategies so they’re more successful. Because putting risk at the centre of your business is now more important than ever before. To fi nd out more visit www.pwc.co.uk/riskresilience
© 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom), which is a member fi rm of PricewaterhouseCoopers International Limited, each member fi rm of which is a separate legal entity.
27712.indd 1 02/05/2012 12:56:01
19
KEY CHALLENGES FACINGBOARDS IN RISK OVERSIGHT
Alpesh Shah, Actuarial Risk Practice Director, and Richard Sykes, Governance, Risk & Compliance UK Leader, PwC
SNAPSHOT■ Discharging the board’s duties and responsibilities around risk oversight
presents tough challenges. These include ensuring adequate ability to understand key risks, creating the time necessary to debate properly, and having the courage to stand up to management.
■ These challenges are further compounded by the variable quality of risk information reaching the board, the increasingly complex nature of organisations leading to complicated risk issues, and management’s potential conflict between managing or reducing risk and striving for improved performance.
■ The external perception of risk is also changing with the speed of risk impacts and the contagion between operational, financial and reputational consequences demanding increased agility from the board.
BALANCING RISK AND REWARD Discharging the board’s duties and responsibilities around risk oversight is oftennot straightforward and presents a range of challenges. At the heart of these
challenges are the perceived conflicting desires between striving for improved
performance, as demanded by shareholders and compelled by competitors, and
the need to understand and manage the risks in achieving this. While executive
and senior management will often be driven to improve performance to achieve
strategic objectives, reinforced by remuneration and incentive mechanisms, the
board needs to ensure that the risks taken by management to achieve these goals
are understood and appropriately mitigated. Most organisations’ remuneration
structures are geared towards rewarding exceptional performance, looking to
align the interests of management with shareholders to create value. Whilst in a
very limited number of financial sectors we are now starting to see incentive
mechanisms that reflect the amount of risk taken to deliver performance, the
CHAPTER 3
20
lack of a risk dimension for many does not support prioritising risk
considerations within the business. This can create potential tension in the
boardroom and between the board and senior managers.
In practice, this tension can manifest itself in a number of ways. Non-
executive directors (NEDs) will often have a less detailed awareness of the key
risks within the business compared to management. The nature of the role
means they will have access to less information than management on which to
assess the risks undertaken by the organisation. Addressing this information
asymmetry can often be a challenge.
The source of information around risks will vary significantly between
organisations. Some will rely on risks being identified and reported from lower
levels in the organisation, aggregated at a companywide level by someone
responsible for risk management. Others will rely on senior or executive
management preparing a suitable summary of key risks and responses for board
consumption. Such approaches are not always founded on underlying risk
indicators from within the business and may be unduly influenced by executive
perceptions of risks and board expectations.
The key question is how much of this risk information from the business is
provided to the board? Management will naturally seek to review and potentially
sanitise this information before presentation to the board. As a result, while
board members can gain some understanding of the effectiveness of risk
management from this process, the lack of detail or focus on key or emerging risk
issues will hamper the NEDs’ ability to discharge their duties in effective risk
oversight. Many organisations struggle to prepare an appropriate summary of
the risk profile of the company for board members, which succinctly articulates
the key risk exposures, threats and emerging issues. Often such analysis is
separate from discussions around strategy and performance. This hampers the
appreciation of risk in the context of returns for shareholders through achieving
strategic objectives. Often the risks that are most material to an organisation will
be those that disrupt the business’s ability to achieve its strategic objectives.
Understanding how much risk has been taken in the pursuit of strategic
performance is one of the ways in which the board can understand if the current
risk profile is appropriate.
KEY CHALLENGES FACING BOARDS IN RISK OVERSIGHT
Even if appropriate information is provided to the board, there is often a
hurdle for NEDs in appropriately understanding and challenging this
information. This is more acute for those NEDs who come from unrelated
industries and so may not have the same level of understanding of risks within
the industry. The responsibilities of
directors are ever-increasing and
many NEDs commonly comment
that these responsibilities need to
be discharged within significant
limitations of time and resources.
How much time does the board, and
NEDs in particular, devote to
understanding and addressing risk issues? While for many companies risk is
playing an increasing role at board discussions, the complexities of
organisations and the risk issues they face require increasing time and resources
to be fully understood.
Putting this in the context of an increasingly complex and diverse business
and risk environment compounds the problem. Today, companies are faced with
a larger range of risks from an increasing variety of sources. This changed risk
landscape has resulted in more recognition of the potential exposure to extreme
risk events that are both very hard to plan for and typically lead to significant
adverse consequences for organisations. These ‘black swan’ risks require a
broader and potentially varied risk management response from organisations
and clear direction from boards. The challenge for boards is to broaden the
nature and richness of the risk discussions they have, to ensure they give
appropriate attention to all types of risks.
In addition, the speed at which risks manifest themselves and have an impact
on the organisation is quickening. In the past, the impact of operational failures
could often be managed internally with limited reputational and external
impacts. Today, any risk event is potential headline news, resulting in
reputational and business effects on the organisation. This ‘risk contagion’,
where the impact of operational risk quickly leads to reputational and broader
business effects, demands agility of response to minimise the impact on the
21
KEY CHALLENGES FACING BOARDS IN RISK OVERSIGHT
The challenge for boards today is toensure that they andtheir companies are prepared to respondquickly to risk eventsshould they occur
organisation. Boards are often not able to respond with the speed and agility
required during and immediately after the occurrence of risk events. The
challenge for boards today is to ensure that they and their companies are
prepared to respond quickly to risk events should they occur.
Reputational impacts are becoming a more significant driver of risk
considerations. Traditional risk management approaches have often tried to
measure risk impacts financially. Understanding the reputational effect of risks
and weighing this against financial and other impacts is becoming increasingly
important and presents new challenges for both board members and companies’
risk management functions.
Organisations operate within a variety of corporate governance structures.
Within whatever framework is adopted, the need for clear risk oversight from the
board, which is distinct from management, is essential. NEDs bring valuable
insights from other companies, industries and geographies and these will
include perspectives on risks and risk management. One of the more significant
challenges to good risk management within organisations is the lack of breadth
of risk thinking. There is a danger that risk management is often focused on
health and safety, financial or operational issues that are the forefront of day-to-
day business activity. The broader perspective on a variety of risks that comes
from the diversity of the board, including exogenous hazards and strategic
threats, helps support a richer and more comprehensive risk management
process. Demonstrating the potential relevance of these external, independent
views to the organisation and getting senior management and executive buy-in
present an additional challenge for the board.
Even when boards understand risks, how well do they appreciate the reliance
placed on key risk mitigation? For some risks, insurance may provide an essential
cushion against the financial impact
of risk events. However, insurance is
a complex product and there is
increasing recognition that the risk
of insurance coverage being
misaligned with the changing risk
profile of an organisation may
22
The broader perspectiveon a variety of risks thatcomes from the diversityof the board helpssupport a morecomprehensive riskmanagement process
KEY CHALLENGES FACING BOARDS IN RISK OVERSIGHT
compromise the quality of this key mitigation tool. Given these complexities,
how can the board effectively challenge and gain comfort that insurance cover
will be in place where needed?
For other risks, key operational and other controls should help manage risk
exposures to acceptable levels. The board will often seek assurance from internal
and external audit around the effectiveness of some controls. However, many
risk management frameworks fail to appreciate the true risk exposure before
credit is taken for any controls. As such, less emphasis is placed on the value of
controls in reducing the impact and likelihood of risk events occurring. It is often
the failure of one or more of these controls that leads to a previously well-
controlled risk having a material and unexpected impact on an organisation. In
addition to understanding the underlying risks within the business, boards need
also to understand the reliance being placed on key controls.
There is often a desire for unity of thinking and opinion around the board
table. This may engender confidence in external stakeholders and internal
management that the strategic direction of the organisation is sound and
supported by all. However, the role of NEDs in challenging executives and senior
management is essential to good governance. The challenge around risk is no
exception. Appropriate risk information needs to be available to the whole
board; the board needs sufficient risk management competency to assess this
information effectively; and there needs to be an open and constructive dialogue
between executive and non-executive directors around risk issues.
KEY QUESTIONS FOR BOARD MEMBERS■ Is the quality and breadth of risk information you see on the board enough
for you really to understand the organisation’s risk profile?
■ How confident are you in your board’s ability to understand and challenge
the organisation on the effective management of risk?
■ How prepared and agile is your organisation and the board to respond to
risk situations should they arise?
23
KEY CHALLENGES FACING BOARDS IN RISK OVERSIGHT
24
The growing importance placed on corporate governance has enhanced the role ofthe company secretary. The holder of the post is now seen in many respects as theguardian of a company’s governance and an independent adviser to the board. TheFinancial Reporting Council (FRC), in its most recent revision of the UK CorporateGovernance Code, makes this point: “The company secretary should be responsible foradvising the board through the chairman on all governance matters.”
The secretary thus has a responsibility to all directors, but for practical reasons, thechairman needs to retain some control. The Code sees the secretary as a resource forthe whole board: “All directors should have access to the advice and services of thecompany secretary, who is responsible to the board for ensuring that board proceduresare complied with.”
The administrative role is crucial: “Under the direction of the chairman, the companysecretary’s responsibilities include ensuring good information flows within the boardand its committees and between senior management and non-executive directors, aswell as facilitating induction and assisting with professional development as required.”
Not only is the secretary in many ways a chief of staff to the chairman in running anefficient and effective board, but there is also a relationship with each director, whomight seek the independent view of the secretary on an area of potential dispute orcontroversy. (This is why it can be problematic if an executive director is also thecompany secretary.)
Non-executives can in particular look to the secretarial team for help and guidance intheir role and to understand fully proposals coming before the board. If they want toseek independent advice outside the company (as encouraged by the Code), that canoften be achieved through the company secretary.
Induction of new directors was an area highlighted by the 2009 Walker review as ameans of improving the effectiveness of non-executive directors, who might come totheir post with little or no knowledge of the workings of the company and its board, andpossibly little experience of its business sector. The secretary has a key role in designingand implementing an induction process that quickly and efficiently gives directors theknowledge they need to play a full part in the boardroom.
For a company secretary’s perspective on risk management information and theboard, see Chapter 9.
KEY CHALLENGES FACING BOARDS IN RISK OVERSIGHT
THE PIVOTAL ROLE OF THE COMPANY SECRETARY
Source: The Director’s Handbook, IoD/Kogan Page, 2010
25
THE BOARD’S ROLE INESTABLISHING THE RIGHT
CORPORATE CULTUREProfessor Roger Steare, Corporate Philosopher in Residence and Professor of Organisational Ethics at the Cass Business School
SNAPSHOT■ Good corporate governance is primarily dependent on board members defining a
clear moral purpose and modelling core values, sound judgement and leadershipbehaviours.
■ Having a good corporate governance structure and effective processes and systems are also important, but these exist to measure core leadership qualities.
■ The mitigation of risk begins with a clear and deep understanding of human behaviour in the workplace. Robots are designed to comply with clear instructions; human beings need inspiration.
MANAGING RISK – IT’S ABOUT PEOPLE AS WELL AS PROCEDURES“Leadership is a potent combination of strategy and character. But if you mustbe without one, be without the strategy.” General Norman Schwarzkopf
To understand how to manage risk, look at how people manage risk in extreme
environments. Managing risk in war is a great example. Strategy, planning,
training, rehearsal and operational excellence are vital. But without character,
just cause, judgement, courage, and love for country and comrade, they will lose
and they may die.
In business, unless the board displays the same understanding of how to lead
‘hearts and minds’, then no matter how diligent its governance structure,
processes and systems, its plan will not survive contact with the reality of human
character, judgement and behaviour.
The overwhelming evidence of history is that human communities only
function and sustain themselves when people:
CHAPTER 4
26
■ Have a clear moral purpose;
■ Truly care for each other;
■ Co-operate and make good decisions about how to get the scarce resources
they need in a hostile environment;
■ Do all these things in a way that sustains their environment for
future generations.
Governments and business leaders who build a cage of laws, regulations and
internal processes become high risk, dysfunctional, mindless, fear-driven,
bureaucratic, totalitarian communities, dominated and exploited by narrow
elites. Just as we are seeing the decline of totalitarianism in the nation-state, for
example in Egypt, Libya and Syria, we are also seeing the end of the corporation
as a feudal construct. Yes, organisations need effective governance to help
mitigate risk. But without moral purpose, character, judgement and behaviour,
they will not prosper or survive.
THE MORAL PURPOSE OF BUSINESSWhy does a business exist? Perhaps it is to make money. But unless it is clearly
understood how it makes money, it will not make money for long.
The reality is that the purpose of business is to offer human beings a social
environment to co-operate and to share know-how and resources in order to
meet their needs. A business only exists when it functions as a community that
brings together investors, entrepreneurs, employees, customers, suppliers and
communities to provide goods and services to each other. Whilst making money
is an important measure of success for investors, entrepreneurs and employees,
a business will not make money for long unless its customers get quality goods
and services at a price that is fair. It will also fail to make money for long unless it
treats the members of these various stakeholder groups with empathy, fairness
and respect. This is the moral component of purpose in business.
Some good examples of well-run businesses with a clear moral purpose are
Nationwide Building Society, The Co-operative Group and The John Lewis
Partnership. These businesses have not only survived in the current economic
downturn, they have positively thrived. It is no accident that each of these
THE BOARD’S ROLE IN ESTABLISHING THE RIGHT CORPORATE CULTURE
businesses is a mutual or partnership. Mutuality is the form of association that
underpins families, friendships and the best local communities. It has been
proven over thousands of years. Corporatism, on the other hand, is good for
short-term success, but bad for risk and for sustainability.
CHARACTER, JUDGEMENT AND BEHAVIOURThe banking crisis of 2007-9 prompted several inquiries into the apparent
failures of governance that precipitated it. They included the Walker Review into
the corporate governance of banks, which for the first time addressed the
question of the ‘character’ of bank directors and senior managers.
The Financial Reporting Council (FRC) also reviewed its UK Corporate
Governance Code. I co-authored a submission to the FRC’s review with David
Phillips, Senior Corporate Reporting at PWC, which sought to address the same
issues of the character, judgement and behaviour of directors and boards. The
submission stated:
“Character, judgement and behaviour are connected stages in a process.
Character or integrity is the sum total of all our moral values and informs the
behaviour of trusted adults. Good collective judgements and decisions are made when
we consider not only legal rules and obligations (which should be regarded as the
‘letter’ of the law), but also how our values (the ‘spirit’ of the law) help us to decide
fair and reasonable outcomes for all stakeholders. We must also acknowledge that
this process will vary according to the situational context faced by boards. As a
consequence, it is critically important not only that the behaviours of organisations
are better understood, but that there are processes in place to monitor the
environments in which they operate, particularly to identify those situations when
rational human behaviour is most challenged.”
The fundamental failure of governance that precipitated the banking crisis
was not because directors failed to understand financial risk; it was because they
failed to govern with courage and integrity. This failure was not caused by a lack
of technical knowledge; it was caused by failures of character, judgement and
basic arithmetic. As we continue to pick over the wreckage of our financial
27
THE BOARD’S ROLE IN ESTABLISHING THE RIGHT CORPORATE CULTURE
system, it is clear that many post-mortems into corporate governance are fixated
by board structures, remuneration policies and risk management systems. They
do not focus in any meaningful way on the behaviour of human beings, per se.
It is baffling that boards, government and regulators seem to ignore the
powerful tools now available to measure and change human character,
judgement and behaviour. Even bus drivers are routinely given personality tests
to measure whether or not they can exercise self-control in stressful driving
conditions. So why not also test directors and senior managers to understand
their character and decision-making skills?
Results from a well-established integrity test, the ‘MoralDNA’ profile*,
clearly demonstrate how and why failures in character and judgement lead to
high-risk behaviours. The bar chart opposite measures the ethics in life and at
work for over 1,000 directors and senior business executives, in corporations
with a combined market capital in excess of £200bn, who have taken the test. It
shows how their preference for making decisions based on the ethic of obedience
increases when they go to work. On the face of it, this might be considered a good
thing. However, the research also shows that their ethic of care is suppressed at
work. The combined effect of both of these phenomena is actually to increase
behavioural risk. If people become more compliant, they also become more
robotic. They are less likely to think, to question or to challenge any instruction.
This, of course, is fine if the instruction is ethical, but what if it is a newspaper
editor demanding a phone-hacked scoop or a sales director demanding a sales
target that forces mis-selling? If, at the same time, businesspeople are also
suppressing their ethic of care, then de facto, they will not feel guilty about
hacking someone’s phone; the victim is just a story, rather than a human being.
Likewise, they will be willing to mis-sell a bond to a 90 year-old, who is seen not
as a person, but as a sales target.
But all is not lost. For these directors and business leaders, their default ‘life’
scores as human beings are all above the global average score of 50. This finding,
together with experience of working with the boards and senior leaders of major
corporations, provides the most powerful solution to the challenge of
governance, moral leadership and culture. The evidence confirms that the vast
majority of directors are good people who ‘do the right thing’. However, when
28
THE BOARD’S ROLE IN ESTABLISHING THE RIGHT CORPORATE CULTURE
people come to work, they suppress some of their judgement and some of their
humanity. They become thoughtless and careless. The simple but challenging
solution is to create the right environment, the right culture, for directors, for
leaders and for all employees to bring their humanity to work.
“CULTURE EATS STRATEGY FOR BREAKFAST”This is a quote from a very senior executive responsible for safety at one of the
major oil and gas players. The point he was making is that managing risk in high-
risk businesses such as his ultimately boils down to the character, judgement and
behaviour not just of individuals, but of social groups in the workplace. This is
what we call ‘culture’. Every workplace has a culture. But it is self-evident that
many boards and senior executive teams do not properly understand the culture
of their business and then, by definition, fail to influence it in a way that not only
mitigates risk but also enhances the value of the business.
Returning to the aforementioned submission to the FRC, the following were
the recommendations on leadership and culture:
29
THE BOARD’S ROLE IN ESTABLISHING THE RIGHT CORPORATE CULTURE
MoralDNA™ Ethics in Life and at Work
Scores
58
57
56
55
54
53
52
51
50
49
48
Ethic of Obedience Ethic of Reason
Life
Work
Ethic of Care
THE BOARD’S ROLE IN ESTABLISHING THE RIGHT CORPORATE CULTURE
“Character and behaviourFurthermore, we believe the system can be further strengthened if work is undertaken
to increase boards’ understanding and awareness of the character and behavioural
mix that is more likely to support an effective governance environment. In particular
we suggest that the FRC should:
■ Conduct research and encourage market experimentation around the use of
tools and techniques that can be used to assess the character and behavioural
profile of directors and boards; and
■ Consider ways in which boards and individual directors can develop a
conscious, diligent and verifiable collective decision-making process, that
captures the essence of what is meant by the FRC in its references to ‘character’
and ‘behaviour’ throughout its July 2009 consultation document.
External reporting – exposing culture, values and behavioursIn a similar vein to the point made above, it may also be beneficial for boards to
explain the behavioural tone which is established in the way it engages with
shareholders and the management team and in the actions it takes. This can be seen
as a statement of ‘who we are’ and ‘what we stand for’. In this context, boards may
wish to explain what management style and behavioural norms they encourage and
what behaviours they will not tolerate. Here an understanding of the actions and
penalties that have been put in place to deal with such exceptions could provide
added impact.”
THE MORAL MAZEThe challenge for boards is to decide whether corporate governance can be
effective without moral leadership and culture. If the answer is ‘no’, then board
members need to understand their personal and collective character, judgement
and behaviour. This requires insight, oversight and expertise not found in
rulebooks, tick-boxes and codes of conduct, but in moral philosophy and social
psychology. In short, they need to understand who they are, how they decide
what is right, what they do and their role as leaders in meeting these challenges.
30
THE BOARD’S ROLE IN ESTABLISHING THE RIGHT CORPORATE CULTURE
KEY ACTIONS FOR BOARD MEMBERS■ Question the purpose of your business. Is it meeting the needs of all your
key stakeholders?
■ Challenge your own values, decision-making and behaviours as leaders.
Are you bringing your humanity to work?
■ Ask colleagues, customers, suppliers and local communities how they really
feel about your business. Does it inspire them? Do they love it? Why and in
what way?
■ When you have the answers to these questions ask yourself: “What are we
doing well that we need to keep doing?”, “What are we beginning to do
well, but need to do more of?” and “What are we not yet doing and need to
begin?”
CONTRIBUTORProfessor Roger Steare FRSA is ‘The Corporate Philosopher’. He is Corporate
Philosopher in Residence and Professor of Organisational Ethics at the Cass Business
School, City University London. He is a Fellow of cross-party policy think tank,
ResPublica, and consults with major corporations such as BP and HSBC, the
Financial Services Association (FSA) and the Serious Fraud office (SFO) on better
regulation and enforcement. Visit: www.TheCorporatePhilosopher.org and
www.ethicability.org
* The MoralDNA profile is a short personality test that sets out to reveal a person’s
moral values and the way they prefer to make decisions about what is right.
Developed in 2008 by Professor Steare and chartered psychologist, Pavlos
Stamboulides, the profile now measures 13 factors to describe character and
judgement and has so far been completed by more than 50,000 people from over 200
countries, many of them business leaders. The results from this research are now
being referenced by the FSA and the SFO, given their respective mandates on
mitigating financial market and corruption risks. To take the profile, visit
www.MoralDNA.com
31
THE BOARD’S ROLE IN ESTABLISHING THE RIGHT CORPORATE CULTURE
32
Mr Arthur E. Andersen, founder of Arthur Andersen, cemented his reputation when hetold a local railroad chief that there was not enough money in Chicago to persuade himto enhance reported profits by using ‘creative’ accounting. He lost the account – but therailroad firm went bankrupt soon afterwards. Mr Andersen had a clear moral compass.
By the 1980s, the firm was adopting the ‘Big Five’ auditors’ new business model:grow the business by selling consultancy on the back of the audit relationship. Andersenembraced a ‘2x’ model – bring in twice as much consultancy as audit revenue. Thosewho succeeded in doing so were rewarded, while those who did not faced sanctions.Fear of losing consultancy work must have pervaded audit teams.
Through its work for Enron, Andersen earned $25m in audit fees and $27m inconsultancy fees in 2000. Over the years, Andersen had been involved in creating andsigning off creative accounting techniques, such as aggressive revenue recognition andmark-to-market accounting, along with the creation of special purpose vehicles (SPVs)for doubtful purposes. By 2001, the firm was sufficiently concerned for 14 partners,eight from the Houston office that handled Enron, to discuss whether they retainedsufficient independence from Enron. Having observed that revenues could hit $100m,they decided to keep Enron’s account. Mr Andersen might have acted otherwise.
As news of the US Securities and Exchange Commission’s (SEC) investigation intoEnron spread to Andersen, the Houston practice manager pronounced that, while theycould not destroy documents once a lawsuit had been filed, “if [documents are]destroyed in the course of the normal [destruction] policy and the next day a suit is filed,that’s great.” In the following days, Andersen’s shredders in Houston, London andelsewhere worked overtime. This loss of moral compass was key to the firm’s collapse.
Smaller firms are far from immune to defective business culture, misalignedincentives and, as a result, inappropriate behaviour. Furniture retailer, Land of Leather,for example, focused largely on deriving profit from the peripheral activities of sellingwarranty and PPI insurance, and rewarded staff accordingly. This created the risk thatmanagement and staff would neglect key issues of safety, quality and customerservice. The firm was among retailers that subsequently sold leather furniturecontaminated by a mould-inhibiting chemical. The direct effects of the ‘toxic sofa’cases included injuries to at least 4,500 people, and some £20m of claims by themagainst the firms responsible – a major factor in Land of Leather’s collapse in 2007.
Boards should be aware that the incentives they create or encourage can distort theoutcomes they wish to achieve.
THE IMPORTANCE OF BUSINESS CULTURE, INCENTIVES AND BEHAVIOUR
33
RISK AND STRATEGY
Alpesh Shah and Richard Sykes, PwC
SNAPSHOT■ Risks can be considered to be those things that affect the ability of an organisation
to achieve its strategic objectives.■ In order to improve performance and increase value, risks must be accepted – as
the old adage goes, ‘There’s no such thing as a free lunch’. Given this, it is important that any consideration of the risks within an organisation takes place within the context of the strategy.
■ It follows that any determination of strategy should take account of the risks the organisation is exposed to. As risk and strategy are highly related, the challenge for boards is to align the risk and strategy discussion.
RISK AND REWARDGood risk management not only requires appropriate identification, assessment
and reporting of risks to the board to determine an organisation’s risk profile, but
also essential is an understanding of how much risk is acceptable and how much
the organisation can bear. All organisations need to take on some risk in order to
achieve strategic objectives and deliver returns. The key risks that an
organisation is exposed to will be those that affect its ability to achieve its
strategic or performance objectives. As such, any discussion on how much risk is
acceptable to an organisation needs to be made in the context of its strategic
objectives. The danger is that risk discussions often happen as a separate process
within the organisation and therefore fail to get an appropriate level of board and
management attention.
Discussions in the boardroom will often focus on setting and achieving key
strategic objectives that are intended to support or enhance the business value
chain and so protect or improve the organisation’s value to its stakeholders. This
will be measured as performance and reflected in management incentives and
board remuneration. Implicit within any organisation’s value chain, however, is
CHAPTER 5
34
exposure to a variety of risks. Collectively this can be referred to as the
organisation’s risk profile. Any changes to the business value chain, through the
implementation of strategy for example, will affect the risk profile. So, an
understanding of the value-adding benefits of strategic options should also
consider the implications for the risk exposures of the organisation. The desired
balance between risk and value is often referred to as ‘risk appetite’.
The determination of risk appetite will be driven by a range of external
influences, including shareholders, analysts, regulators, rating agencies,
competitors and customers. Risk appetite is essentially an articulation of the
amount of risk that the organisation will take in order to achieve its strategic
objectives. It is a tool with which the board can try to capture the expectations of
these external stakeholders, coupled with management’s and their own
expectations. Chapter 5 discusses how boards can articulate risk appetite.
Boards can improve their focus on risk and risk management by integrating
risk into the board strategic debate. Board members will often dedicate a
reasonable amount of their time to understanding, reviewing and challenging an
organisation’s strategy. Board strategy awaydays and dedicated planning
sessions are not uncommon and will be familiar to many. But how much does risk
form a key part of these discussions?
Understanding the key risks to the business, either from internal sources or
the environment in which it operates, should be a major influence of strategic
direction. These may be different and distinct from the risks to achieving
strategic objectives, which will focus on the key assumptions made in setting the
RISK AND STRATEGY
Risk Management Actions
RiskAppetite
Value
Risk
Performance
Risk Profile
Business Value ChainStrategicobjectives
expected outcome of the strategy. While there is often focus by boards on the
risks involved in achieving strategic objectives, there is often a lack of
appreciation of the breadth of key risks that accompany the business, and within
which the strategy needs to deliver.
Boards should ensure that any discussion around strategy considers the full
range of key risks that the organisation is exposed to. These will typically fall into
one of four groups:
■ Financial risks– These are typically well controlled and are often the focus of many board risk discussions driven by the increased regulatory,
accounting and financial audit focus. In addition, as financial information
is a key tool to manage stakeholder communications and measure
performance and strategic delivery, board risk discussions will devote
considerable time to these risks;
■ Operational risks– As these will relate to the specific operations of the organisation, they will typically be managed from within the business and
will often have a focus on health and safety-type issues, as industry
regulations and standards require. These internally-driven risks may
impact on the organisation’s ability to deliver its strategic objectives.
■ Hazard risks– Often driven by major exogenous factors that impact the
environment in which the organisation operates. A focus on the use of
insurance and appropriate contingency planning will help address some of
35
RISK AND STRATEGY
Strategic
Hazard Financial
Operational
Demand shortfallCustomer retention
Integration problemsPricing pressure
RegulationR&D
Industry or sector downturnJV or partner losses
MacroeconomicPolitical issues
Legal issuesTerrorism
Natural disasters
Cost overrunOperating controlsPoor capacity managementSupply chain issuesEmployee issues incl. fraudBribery and corruptionRegulationCommodity prices
Debt and interest ratesPoor financial managementAsset lossesGoodwill and amortisationAccounting problems
these. However, there is often a danger that as many of these risks cannot
be controlled, boards and senior management will not reflect these in their
strategic thinking. The mindset that strategy is focused on controllable
factors creates the danger of not appropriately reflecting these risk drivers.
■ Strategic risks– These include risk factors that are typically external or impact the most senior management decisions and, as such, are often
missed from many risk registers. It is incumbent upon boards to ensure all
these types of risks are included in the strategic discussion.
The external viewpoint that non-executive directors (NEDs) can bring to the
boardroom will play an essential part in ensuring this breadth of risk thinking
enhances the development of strategic thinking. The challenge for boards is to
ensure the processes followed to review and approve strategy can be flexed to
include an appropriate consideration of risk. There is a range of approaches that
may be considered.
A well-defined understanding of what risk means relative to strategy is
essential. The achievement of strategic objectives will often be expressed as one
or more key strategic intents or visions. Examples include: “Increasing revenue
by £Xm in the next year; increasing market share in core markets by Y%;
improving customer churn rates/satisfaction metrics by X”. In setting these
strategic objectives, it is the intent of the board and senior management that, in
achieving them, the value of the organisation will increase or be protected for its
shareholders (or for key
stakeholders for non-profit
organisations).
The impact of risk events can be
expressed as an acceptable variation
in these strategic goals that
management is prepared to accept
to achieve them (for example, 2%
growth with virtual certainty, or 10% growth with increasing risk of losses).
While not all risks can be mapped back to a defined impact on strategic outcome
metrics, the discipline of considering risks in this context will help boards to
36
RISK AND STRATEGY
The challenge for boardsis to ensure theprocesses followed toreview and approvestrategy can be flexed toinclude an appropriateconsideration of risk
understand the potential impact of these risks and prioritise management effort
to manage them accordingly.
SOME OF THE KEY QUESTIONS THAT BOARDS SHOULD ASK AROUND STRATEGY AND RISK ARE:How well is my strategy actually defined?A good understanding of the key risks to strategic intent and the value of the
organisation require a good understanding of the strategy itself. A robust
articulation of the key elements of strategy (strategic intent, strategic
drivers/actions, the context within which the strategy will be delivered etc.) will
allow boards to isolate and identify how the strategy will interact with the risks
faced by the business. A lack of clarity around the strategy will encourage risk
and strategy to continue as two separate processes within the organisation.
Bringing these processes together will help align risk management to the
strategic delivery plan.
How broad are the risks we are considering?Strategy needs to be defined in the context of the risk environment in which the
business operates. The broader the consideration of the types of risks the
business faces, the better the strategy can be developed to respond to or navigate
these risks. Bringing together the internal risk information from the business
with an understanding of exogenous risk exposures as highlighted by senior
management and NEDs in particular, should be a key focus of the board.
What risk scenarios have we considered to test our plans?It is often not easy to identify all potential risk exposures and their causes. Those
risks that are going to be of most interest to the board will often be defined by the
potential impact of the consequences of the risk manifesting. Scenario analysis,
where the board encourages management to consider a range of scenarios that
result in significant adverse consequences for the business, can help ensure that
a wider breadth of risk impacts are considered. Workshops with NED input to
understand the range of plausible scenarios around key strategic outcomes are a
good way to bring this type of approach to the boardroom.
37
RISK AND STRATEGY
Stress-testing business plan assumptions to determine when the business
may ‘break’ will help boards to determine how much risk is acceptable.
Identifying critical assumptions on which the achievement of strategic outcomes
is dependent will help boards to focus on the key risks to these assumptions
being true. These techniques will help drive a better understanding of the risks in
the business in the context of strategic ambitions.
Have we mapped our risks to key performance and value measures?Where possible, consideration of risks in the context of how shareholders or
stakeholders measure value in the business is vital. This will help management
to articulate to stakeholders how the risks they are taking or the business is
exposed to may impact the desired outcome. Creating a ‘common currency’ for
risk and performance also allows management to prioritise risk management
activities and focus on the more relevant risks to stakeholders and the board.
Encouraging management to understand risk impacts in the context of key
performance metrics can be a complex task. However, if the key value drivers of
the business are well understood by management, determining the potential
impact of risk events on these value drivers should be achievable and would be
considered part of a good risk management system.
KEY ACTIONS FOR BOARD MEMBERS■ Integrate the discussion around risk and strategy to align your
organisation’s strategic objectives with your desire to take or mitigate risk,
both measured in a consistent way;
■ Build in mechanisms within your risk and strategy discussions to ensure an
appropriate breadth of risks are considered across the financial,
operational, hazard and strategic risk spectrum;
■ Aspire to a more risk-aware culture by ensuring risk is considered alongside
performance in your organisation’s key activities and incentive
mechanisms.
38
RISK AND STRATEGY
39
Risk governance first became a mandatory issue in the UK with the Turnbull guidance of1999, revised in 2005, and further reviewed following the 2008 financial crisis. Sir DavidWalker’s 2009 review made detailed recommendations about the handling of risk in thefinancial sector. The UK Corporate Governance Code (May 2010) requires boards that aresubject to the UK Financial Reporting Council (FRC) rules to set risk appetite. This cannotbe done without a comprehensive understanding of all the risks the organisation facesand how they might combine. If the board does not set risk appetite, it is not directingthe nature or scale of risks taken by the business.
The EADS Airbus A380 wiring debacle in 2006 is a good example of failure to set andcontrol risk appetite strategically, as well as illustrating other risks including excessivecomplexity and poor communication.
The programme to design and build the giant A380 aircraft was one of exceptionalcomplexity and novelty. Part of the complexity arose from the fact that majorcomponents were to be built at factories in France, Germany, Spain and the UK, withmyriad sub-assemblies made around the world. Everything had to be shipped toToulouse for final assembly. It is now better understood that complexity is itself asource of risk. It is clear that the decision to make major components in differentcountries and bring them together for assembly was, at least in part, a politically-drivenstrategy taken without regard to its impact on the manufacturing process. Airbus alsotook considerable risks in using new – and not entirely standardised – technology, notonly for the structure and control systems but also for the design and modelling of theaircraft. It seems unlikely that the Airbus board became involved in these decisions, letalone set risk appetite for Airbus as a company.
When major components and sub-assemblies were brought together for finalassembly, it was found that the wiring harnesses did not mate. The problem wascompounded by middle managers, who failed to reveal it to senior managers for sixmonths. This seems to have resulted, at least in part, from a culture that did not allowthe freedom to criticise – essentially a communication problem.
In the end, the harnesses had to be dumped and the aircraft rewired to a new design,costing up to €5bn. Senior figures and their political sponsors became embroiled in theresulting internal disputes that saw the French and German governments manoeuvringto install new leaders at Airbus.
RISK GOVERNANCE
RISK AND STRATEGY
finding better waysWillis is one of the UK’s leading insurance brokers and delivers professional insurance and risk management advice for companies of all sizes - from FTSE listed companies through to sole traders and start ups.
We take the time to get to know your business to create insurance and risk management solutions tailored to your needs, whatever the size of your company and whatever your industry.
With offices across the whole of the U.K. and in 120 countries worldwide, we are your local global broker.
To find out more about Willis’ specialist knowledge visit www.willis.com
Willis Limited, Registered number: 181116 England and Wales.Registered address: 51 Lime Street, London EC3M 7DQ.A Lloyd’s Broker. Authorised and regulated by the Financial Services Authority for its general insurance mediation activities only.
FP1296/10750/05/12
10750_ADVERT_Generic.indd 1 03/05/2012 08:06:53
41
DEFINING THE RISKAPPETITE/RISK TOLERANCEOF THE ORGANISATION
Tom Teixeira, Practice Leader, Global Markets International, Willis Group
SNAPSHOT■ Companies must be able to clearly define, articulate and implement a framework
that outlines the risks they are prepared to take and the limits they are prepared to operate within.
■ This approach will provide a powerful tool to drive the improvement of performance across the business. Acting like a car’s brakes, it can allow a business to move at speed, safely.
■ It provides a means of monitoring the activities across the various business units and operations and creates warning mechanisms as risk limits are approached, to ensure that the right behaviours are implemented in a timely fashion.
■ The approach described in this chapter will ensure that the board is fully aligned with improved strategic and financial planning, effective risk management and value maximisation.
STAKEHOLDER AND SHAREHOLDER EXPECTATIONSThe expectations of a company’s stakeholders and shareholders are ever more
demanding, with the need for evidence of clear boundaries that inform the
nature and amount of risk to be undertaken. Whilst transparency and good
corporate governance are high up on the board’s agenda, for a company to
remain competitive in today’s challenging economic environment, an optimal
balance must be achieved between risk retention, financing and transfer. In
essence, companies must take risk on a controlled and informed basis to ensure
that uncertainty and volatility are reduced and the probability of delivering their
business plan is increased.
This approach must be reflected in an organisation’s mission and value
statements. Understanding risk and taking risk-based decisions must be part of
everyone’s remit and not seen as an administrative, compliance-driven burden.
CHAPTER 6
42
CHALLENGESA question then arises around definition and understanding. The phrases ‘risk
appetite’, ‘risk tolerance’ and ‘risk threshold’ are frequently used to describe an
organisation’s approach to risk and have tended to create misunderstanding and
confusion. Senior executives often perceive these words to signify constraints or
straitjackets that may prevent them from doing business. Moreover, this is not
helped by the fact that some definitions are subjective in nature and are
therefore considered to be vague and imprecise.
To be able to articulate benefits properly from a board’s perspective, we need
to draw a clear distinction between risk appetite and risk tolerance.
For simplicity, we will take the definition of risk appetite from the British
Standard BS 31100: “The amount and type of risk that an organisation is
prepared to seek, accept or tolerate”. This is illustrated by the risk heat map
below, where the red line shows the boundary between risks that are deemed
acceptable and those that are not. It is important to note that some of these risks
may have reputational impacts, which are not necessarily quantifiable from a
financial perspective.
DEFINING THE RISK APPETITE/RISK TOLERANCE OF THE ORGANISATION
- IMPACT +
-
LIK
ELIH
OOD
+
Fraud or nonauthorisedoperations
Natural catastrophe
Loss of key managersNon respect of contractual obligations
Third party claims forloss of earningsPoor project
management
Supplier default
Loss of key partnerships
Business continuity problems or loss of services
Poor retention of high-potential staff
Product or service quality
IT problems
To achieve a better understanding of the meaning of risk tolerance within this
context, it is worth reviewing a standard engineering definition of tolerance:
“Dimensions, properties or conditions may vary within certain practical limits
without significantly affecting functioning of equipment and process”. In effect,
setting risk tolerances requires a company to consider in quantitative terms
exactly how much of its capital it is willing to put at risk; risk tolerance is
therefore a quantitative expression of the risk appetite. A ‘top down’ approach is
required here to help reinforce the governance and risk culture by setting an
appropriate ‘tone from the top’. This approach is very helpful in determining the
materiality of risks and the escalation rules to be implemented that ensure the
board achieves a clear understanding of current threats that can affect the nature
of the business. At a more detailed level, tolerance levels are expressed as ‘limits’
or ‘targets’ and should be specifically linked to products, business lines or risk
categories. This approach will assist in monitoring the organisation’s exposure
both by individual risk and cumulatively.
RISK APPETITE STATEMENT The definitions outlined above should come together in a clearly articulated risk
appetite statement, which can act as a cornerstone to how organisations identify
and crystallise untapped enterprise value. The objective of a risk appetite
statement is to define the level and nature of risk that an organisation is willing
to take in order to ensure that its business plan is delivered in accordance with
stakeholder expectations and within the constraints set by debt holders and
regulators. The risk appetite statement should define specific tolerances related
to the company’s performance. The statement should:
■ Provide a clear understanding of the amount and types of risks that the
organisation is comfortable in taking – including reputational risks;
■ Be reflective of all key aspects of the business;
■ Specify maximum tolerable limits and variability, using both quantitative
and qualitative parameters; these will be driven by corporate objectives
and stakeholder expectations and constraints;
■ Reflect the desired balance between risk versus reward;
43
DEFINING THE RISK APPETITE/RISK TOLERANCE OF THE ORGANISATION
■ Provide a framework that will ensure that an action-based approach is
undertaken in order to create a real effect on the organisation’s business
strategy and approach.
MANAGING EXTREMES USING KPIS AND FINANCIAL INDICATORSThere are various ways of expressing risk appetite, but in considering the points
above, the simplest and probably the most widely used approach is to consider
indicators that provide a basis for setting limits, targets and thresholds. Key
performance indicators (KPIs) are one such type of indicator, which help
companies track their financial performance and operational efficiency and
enable management to focus efforts on areas that require the most attention.
The use of KPIs in a risk appetite statement provides a basis to test the
sensitivity against different levels of unplanned loss. Many companies are
uncomfortable if their KPIs deviate by more than 3-5%, and it is therefore
important to identify the size of potential losses that will test these limits.
Specifying risk appetite involves more than defining a monetary amount
because there will always be extreme scenarios where this figure is breached. It is
necessary to add a probability dimension, so a typical VAR (value at risk) risk
appetite statement might read: “The maximum acceptable annual aggregate
retained loss is £65m with 95% confidence”. This means that the strategy is to
avoid annual aggregate losses of more than £65m, more frequently than 5% of
the time, or once in 20 years. The statement could be more refined than this, for
example: “The maximum
acceptable annual aggregate
retained loss is £65m with 95%
confidence and £100m with 99%
confidence”.
An acceptable risk management
strategy must meet the conditions
of the risk appetite statement. There
will normally be more than one strategy that passes this test, so the challenge is
to identify the best strategies from this set – those that strike an optimal balance
between risk retention and risk transfer, subject to cost.
44
Setting risk tolerancesrequires a company toconsider in quantitativeterms exactly how muchof its capital it is willingto put at risk
DEFINING THE RISK APPETITE/RISK TOLERANCE OF THE ORGANISATION
The process of developing a risk appetite statement must be iterative in
nature. Both the board and the senior management team need to be able to
analyse the existing propensity to take risk, using historical data, and then
consider the desired risk appetite. The approach should consider reputational
metrics which should be qualitative by nature but are just as important as those
that are financially related. The overall process must be supported by
organisational data, policies and senior management and board interviews.
Typical qualitative and quantitative components that would make up a
comprehensive risk appetite statement are illustrated in the following table:
45
DEFINING THE RISK APPETITE/RISK TOLERANCE OF THE ORGANISATION
Metric Illustrative definition Management options Key stakeholder
• Target debt rating
• Earnings volatility
• Maximum loss
• Liquidity headroom
• Reputation
• Regulation
• Governance
• Growth
• Debtholders• Rating agencies
• Shareholders
• Management
• Regulator• Shareholders• Debtholders
• Customers• Regulator
• Regulator• Shareholders
• Regulator• Shareholders
• Shareholders
• We target a Moody’s rating of ‘XXX’ on our senior debt, at all times staying above ‘YYY’
• We will not miss consensus earnings forecast by more than ‘X’% at a ‘YY’% confidence lever
• We will aim consistently totarget dividend of ‘XXX’
• We do not wish to see a loss of more than ‘XXX’ at the ‘YY’% confidence interval
• Available liquidity resources to meet requirements at ‘XX’% confidence interval
• Ensure that the highest ethical standards are followed at all times
• Have no significant instancesof regulatory breach
• Ensure appropriate policies and processes are followed at all times
• All new business opportunities to follow appropriate risk controls
• Granular measurement of Economical Capital
• Monitoring key metrics (eg. AFR, liquidity etc)
• Quantitative stress testing of business plans
• Bottom-up risk measurement
• Liquidity model to measure and forecast requirements
• Ethical policy written, to be followed by allstaff all the time
• Compliance department
• Internal/external audit
• Strategic planning process• Avoid portfolio concentrations
Quan
titat
ive
Qualita
tive
46
DEFINING THE RISK APPETITE/RISK TOLERANCE OF THE ORGANISATION
Whilst the financial services sector has led thinking on how to develop and set
risk appetite (and the financial terms often used in this area tend to reflect this),
the tired belief still found in other industries that this subject “concerns only
financial services and doesn’t apply to us” needs to be firmly rejected.
It is important to remember, however, that there is no single ‘one size fits all’
approach to the development and setting of risk appetite. The content will very
much depend on culture, industry sector, availability and quality of data and
levels of existing enterprise risk management (ERM) maturity.
SUPPORTING THE BOARD’S NEEDSFrom a board’s perspective there are a number of advantages to adopting the
approach described in this chapter:
■ A holistic approach to risk management is generated, allowing the board to
achieve a better understanding of the key threats to the business that can
result in serious financial or reputational damage;
■ An environment is created that will allow the board to become more
engaged in risk issues and help promote buy-in at senior management
levels to ensure that a risk-based approach is adopted in strategic decision-
making across the business;
■ The board will be in a better position to deal with conflicts that may arise
between different stakeholders, ensuring all views are aligned with the
organisation’s strategy.
KEY ACTIONS FOR BOARD MEMBERS■ Set and agree the overall risk appetite and corporate risk tolerance;
■ Ensure that the risk appetite statement is signed off and communicated
well, so that expectations are set in relation to management’s risk taking;
■ Regularly review the organisation’s risk appetite-related tolerances to
ensure that they are still relevant to the business objectives and the ever-
changing nature of risk;
■ Ensure that the risk appetite review is part of the organisation’s strategy
and planning processes.
47
BOARD COMPOSITION:KNOWLEDGE VERSUS
INDEPENDENCE Sir Geoffrey Owen, Senior Fellow,
The London School of Economics and Political Science
SNAPSHOT■ In appointing chairmen and non-executive directors, companies need to ensure
that the independence criterion is not given excessive weight; knowledge of the industry is also important.
■ Board diversity needs to be addressed and encouraged but the same principle applies as above: knowledge of the business is a key consideration.
■ Having the right experience, understanding and motivation is more important than the number of board members, although too big a board can be unwieldy.
TODAY’S BOARDSThirty years ago the boards of most UK publicly listed companies consisted
mainly of insiders – current or former executives, plus in some cases the
company lawyer, or its financial adviser. The board may also have included one
or two independent directors with no commercial link to the company –
distinguished people who added lustre to the board, or people with special
expertise or contacts that were directly relevant to the company’s business;
these men (rarely women) saw themselves as friendly advisers, not as monitors
of management. In many cases, the posts of chairman and managing director (in
those days the title ‘chief executive’ was rare) were combined in one person.
Today, the typical board, especially in large, publicly quoted companies, is
dominated by outsiders. The chairman is generally independent, having had no
previous connection to the company at the time of his or her appointment. At
least half and usually more of the other directors are independent according to
the same definition. They have a clear responsibility, not just to provide support
and advice, but also to appraise the performance of the executives, and of the
CHAPTER 7
48
chief executive in particular, and to make changes when necessary.
This shift in the composition and role of the board of directors has emerged as
a result of a series of corporate governance reports, starting with Cadbury in
1992. Part of the purpose of the Cadbury Committee, which was set up in
response to several corporate scandals, was to ensure that boards had a strong
enough independent element to counter the risk of over-powerful leaders riding
roughshod over the interests of shareholders in pursuit of their personal
objectives. This was the start of a reform process that has led to the Financial
Reporting Council’s (FRC) current corporate governance code. The Code
recommends, among other things, that the posts of chairman and chief executive
should be kept separate and that at least half the board should consist of
independent non-executive directors (NEDs).
THE CHAIRMAN The Code provides guidelines, not compulsory rules, and through the comply-or-
explain principle companies have the freedom to depart from them as long as
they explain to their shareholders why they are doing so. Although very few
listed firms now combine the posts of chairman and chief executive, some,
including several leading banks, have rejected the concept of independent
chairman, and have promoted the retiring chief executive (or sometimes another
full-time executive) into the chairman’s office. Their argument, broadly
accepted by shareholders, has been that the complexity of the banking industry
is such that they need someone in the role of chairman who is fully conversant
with all aspects of the company’s affairs. The case for an insider appointment has
been strengthened by the fact that some of the banks that were hardest hit by the
crisis of 2008-9 had a non-banker as chairman.
How far the argument about complexity applies to other industries is a tricky
question, and one that boards have to consider seriously when appointing new
chairmen. Partly because of the banking crisis, there is now a growing
recognition that the independence criterion may have been given too much
weight, at the expense of knowledge, in the appointment of new chairmen. If the
chairman has no experience of the business, there is a danger that he or she will
become a puppet in the hands of the chief executive.
BOARD COMPOSITION: KNOWLEDGE VS INDEPENDENCE
What is clear is that, on this issue, there are no hard and fast rules; companies
should make their decision on the basis of their particular circumstances at the
time, and in the light of the personalities involved. An interesting case is that of
ARM Holdings, which as a semiconductor company operates in an industry that
is at least as complex, though in a different way, as banking. When Sir Robin
Saxby retired as chief executive in 2001 after 10 years in the job, he was made
chairman, and he held that post until 2006. He was then succeeded by an
outsider, but one who was totally familiar with the semiconductor business. The
new chairman, Doug Dunn, had worked in several semiconductor companies,
and prior to joining ARM had been chief executive of ASML, a leading supplier of
lithography machines to the semiconductor industry.
Rather than blindly following the guidelines, companies need to be
pragmatic, as Tesco has been in recent years. Ian MacLaurin (now Lord
MacLaurin) was one of a small group of individuals responsible for lifting Tesco
into a position of leadership in the UK supermarket industry. He became
managing director in 1973 and chairman in 1985. When he retired in 1997, the
new chairman was an outsider, John Gardiner, who had been chief executive of
the Laird Group. When Gardiner retired in 2004, the chairmanship passed to
Tesco’s finance director, David Reid. Last year Reid was succeeded by Sir Richard
Broadbent, who had held senior posts in government and banking, but had no
direct retailing experience.
But whether the choice falls on an
insider or an outsider, there is no
doubt that getting the right
chairman in place is even more
important than it was 10 or 15 years
ago. This is reflected in the fact that
the term ‘non-executive chairman’
has largely gone out of fashion. The chairman is not part of the management
team, and is usually part-time, but the responsibilities – for example, dealing
with shareholders and with the government – have become much more onerous.
This in turn raises a further problem: how to ensure that the higher profile of
the chairman does not lead to conflict with the chief executive. A clear allocation
49
BOARD COMPOSITION: KNOWLEDGE VS INDEPENDENCE
If the chairman has no experience of thebusiness, there is adanger that they willbecome a puppet in the hands of the chief executive
of tasks between these two posts is critical to the effectiveness of the board. This
is not just a question of writing detailed job descriptions. The most common
cause of dysfunctional boards is the inability of the chairman to establish a good
working relationship with the chief executive. This can arise when new chairmen
move into the job immediately after serving as chief executive of another
company; they are used to calling the tune and may have strong views about how
the business should be run. (This is why some companies prefer to appoint ex-
finance directors, rather than ex-chief executives, as their chairman.) The
relationship only works if the two people are clear about what they are
responsible for, recognise the value of each other’s contribution, and have
mutual respect. Ideally they should be complementary both in temperament as
well as in background and experience.
THE NON-EXECUTIVE DIRECTORSSome of the considerations relevant to the appointment of chairmen also apply
to NEDs. Companies have to strike the right balance between knowledge and
independence. The NEDs must include some members, perhaps a minimum of
two, who have an intimate knowledge of the industry and can provide an
authoritative assessment of management proposals. Of course, knowledge of the
sector does not ensure that they will be effective directors, but the board is
unlikely to function well if the outsiders are ill-informed about the business.
This leads on to the question of board diversity. While there is no immediate
prospect of Norwegian-style quotas, UK companies are under pressure from the
government to put more women on their boards. Most chairmen accept that, in
principle, having at least two female NEDs is desirable. But the supply of
appropriately qualified candidates is limited, and it would be quite wrong for
companies to give in to political correctness and appoint women who are
unlikely to make a useful contribution. On the other hand, it is arguable that the
professionalisation of boards that has taken place in recent years – and the
strong preference for directors who have served as senior executives in other
companies – has gone too far, leading to an unhealthy degree of uniformity
around the board table. People with a non-business background, whether male
or female – from academia, for example, or from the charitable sector – can be
50
BOARD COMPOSITION: KNOWLEDGE VS INDEPENDENCE
valuable board members if they make a real effort to understand the business and
are sufficiently self-confident to question what the managers are doing.
SIZE OF THE BOARDMost companies prefer their boards to have around 9 to 11 members; boards with
more than 15 directors are thought to be hard to manage.
SIZE OF BOARDS IN 2010 (LARGEST 150 FTSE COMPANIES)
8 or fewer 27%
9-11 51%12-14 18%15 or more 4%
There is less agreement on what the balance should be between executives and
non-executives. Some argue that the presence of line or functional executives in
addition to the chief executive and finance director is pointless since such people
can never challenge their boss. Others believe that a mixed board – say four or
five executives and six or seven outsiders – makes for a more cohesive group and
gives the NEDs a better feel for the company’s operations.
There may be a danger, if the latter course is followed, that the social bonds
between insiders and outsiders will become too close, and the NEDs will find it
hard to play an effective monitoring role. But in this, as in most other aspects of
board effectiveness, the precise composition of the board – the number of female
directors, the presence or absence of people with a non-business background,
even its size – is less important than the character and motivation of the people
who sit round the table, and the quality of leadership from the chairman.
KEY ACTIONS FOR BOARD MEMBERS■ Regularly monitor the chairman/CEO relationship – is it working, do the
two people fully understand each other’s role and responsibilities?
■ Reflect on the character of board discussions – are the right issues being
51
BOARD COMPOSITION: KNOWLEDGE VS INDEPENDENCE
Source: 2010 UK Board Index, Spencer Stuart
52
BOARD COMPOSITION: KNOWLEDGE VS INDEPENDENCE
tackled, is too much time being spent on matters that are not central to the
company's future?
■ Critically assess the contribution made by individual board members – is
there too much ‘groupthink’, too little challenge of the executives?
■ How much do you really know about the business, how best can you get up
to speed on the details of the company's affairs, without trying to second-
guess the management on every decision?
CONTRIBUTORSir Geoffrey Owen is Senior Fellow at The London School of Economics and Political
Science. He is author of Evolution or revolution? Changes in Britain's boards of
directors from 1960 to 2010, published by Spencer Stuart in 2011.
Given that the role of NEDs is to provide independent oversight of the business, theyneed – at least collectively and arguably individually – sufficient skill and knowledge toask the right questions and to evaluate the adequacy of answers they receive.
A prime example where this appears not to have been the case was IndependentInsurance, set up by Michael Bright and his longstanding friend and colleague PhilipCondon. In 1987, Bright became CEO with Condon as his deputy. Denis Lomas becamefinance director. The company wrote a significant amount of long-tail liability insuranceand other types of insurance where reserves are hard to assess.
The company made stellar progress at first, but by the late 1990s the trio came torealise that the business was in fact making losses and set out to conceal them. Theirtechniques included keeping reserves off the accounts, understating reserves and,eventually, making fraudulent reinsurance contracts. The company was put intoliquidation in June 2001. Bright, Condon and Lomas were convicted of fraud in 2007.
There had been rumours in the insurance market that Independent’s results were‘too good to be true’, while its annual reports contained hints that things were goingwrong, but these were not picked up by the board (nor the auditors or regulators). Thepublicly available biographies suggest that the NEDs were eminent City figures, butthere is little evidence that any had the specialist technical skills or experience to knowhow – and how easily – long-tail liability reserves can be manipulated. Their collectiveweakness made the company more vulnerable to a fraud by its executives.
WHAT CAN HAPPEN WHEN SKILLS ARE LACKING
53
THE BOARDROOMCONVERSATION
Alison Hogan, Managing Partner, Anchor Partners, with support from Ronny Vansteenkiste, SVP, Group Head
Talent Management & Organisation Development, Willis Group
SNAPSHOT■ The chairman sets the tone for the board and is responsible for creating a
climate of openness, challenge and productive dialogue.■ For a board to be effective, including in the exercise of risk oversight, it needs the
right behaviours as well as the appropriate balance of experience and expertise.■ It is important to ensure that boards are continuously reinvigorated by managing
recruitment and retirement procedures.
THE KEY ROLE OF THE CHAIRMAN“The chairman should demonstrate the highest standards of integrity andprobity, and set clear expectations concerning the company’s culture, valuesand behaviours, and the style and tone of board discussions.” Guidance on Board Effectiveness, Financial Reporting Council (FRC), March 2011
The chairman sets the tone for the board and should ensure that the board is
clear about the company’s purpose and is committed to its culture, values and
behaviours. The chairman is responsible for creating a climate of openness,
challenge and productive dialogue. A good chairman, rather like a conductor of
an orchestra, will seek to ensure that everyone is fully engaged and able to make
an appropriate contribution to discussions and decision taking. This requires
sensitivity to group dynamics – noticing who has spoken and who has not,
encouraging constructive challenge, collaboration, and the sharing of relevant
experience and expertise.
For a board to be effective, including in the exercise of risk oversight, it needs
the right behaviours, as well as the appropriate balance of experience and
expertise. The chairman has a critical role in the recruitment of non-executive
CHAPTER 8
54
directors (NEDs), ensuring that newly appointed NEDs have a thorough
induction and an ongoing process of deepening their understanding of the
organisation, including its risk profile. The chairman needs executive directors
to take responsibility for identifying and raising issues and risks that should be
reported to the board.
The chairman manages the agenda, plays a key role in overseeing the flow and
quality of information, and ensures that board members can give sufficient time
to make sense of the information.
Many chairmen, when describing best practice, talk of leaving egos at the door
and cite ‘true independence of mind’, ‘a refined set of people skills’ and ‘leading
with a rod of iron’ as key characteristics of good chairmanship.
THE GROUP DYNAMICS OF BOARDROOM DEBATE“The challenge should not be underrated. To run a corporate board successfullyis extremely demanding. Constraints on time and knowledge combine with theneed to maintain mutual respect and openness between a cast of strong, ableand busy directors dealing with each other across the different demands ofexecutive and non-executive roles.” The UK Corporate Governance Code, FRC
According to one chairman, the indispensable characteristics of a good board are
“commitment, character and cutting edge” and “the best and the broadest mix of
relevant skills and experience that we can find”.
The behaviours of board members – the group dynamics – are as important as
the mix of skills and experience. Good decision-making requires collaborative,
independent-minded individuals
offering constructive challenge and
support in an environment of trust,
openness and transparency.
Creating the necessary conditions
for trust and openness to thrive
requires clarity about the function
of the board and the roles and
THE BOARDROOM CONVERSATION
Non-executive directorsmust have theconfidence to ask the‘big, stupid questions’that can tease out animportant issue that isbeing overlooked
responsibilities of board members. Members represent different interests and
different stakeholders and such differences need to be acknowledged, while also
being clear that board members hold a collective responsibility for the good
governance of their company. There are times when an individual is representing
and argues for a particular interest or stakeholder. At other times, they need to
suspend that position and be open to a more collaborative dialogue .
There is an inevitable tension in a board that consists of both executive and
non-executive directors, including between the chairman and the chief
executive. The chairman is there to champion the chief executive and provide
‘air cover’ when necessary. But there may come a time when they have to manage
the chief executive out of the business. Likewise, NEDs offer both challenge and
support. Executive directors have to balance the value of the insights and
guidance that the NEDs bring with what can sometimes feel like onerous
commitments to keep them sufficiently briefed. Some NEDs need to have
significant sector expertise to be able to get to the ‘heartland’ of the business and
ask causal questions. But NEDs must also have the confidence to ask the ‘big,
stupid questions’ that can tease out an important issue that is being overlooked.
HOW TO FOSTER A DEBATE THAT WILL BEST IDENTIFY KEY RISKS“We must be prepared to challenge, confront, disagree and probe, but always ina way that is constructive and supportive of the business agenda. Nothingshould be left unsaid within a team that is committed to success.” Niall FitzGerald KBE, when Chairman of Reuters (now Thomson Reuters plc)
To avoid ‘risk blindness’, boards need to challenge received wisdom and ask
themselves what would be the worst thing that could happen. The boardroom
should be a place where the most critical issues are discussed, where everybody
feels they can ask the necessary questions and get fair and appropriate answers.
Constructive challenge requires the skills of critical thinking; suspending
judgement; engaging in open dialogue; considering what has been left unsaid as
well as what has been said. It takes time, and the management of time and the
design of the agenda are important; noticing if a discussion is too rushed or if
critical steps have been missed out; ensuring good closure, with clarity on
55
THE BOARDROOM CONVERSATION
actions and responsibilities. According to the FRC, executive directors should
“appreciate that constructive challenge from non-executive directors is an
essential aspect of good governance” whilst NEDs should “devote time to
developing and refreshing their knowledge and skills, including those of
communication”.
The FRC suggests that the board has particular responsibility for identifying
risks linked to strategy or resulting from external developments – ‘top down’
risks – contrasted with ‘bottom up’ operational risks which are the responsibility
of management to identify and, where appropriate, bring to the attention of the
board. However, these distinctions do not hold when it comes to the board’s
responsibility for managing risk. As the FRC notes, “While the greater awareness
of ‘Black Swan’ risks was welcomed, this ought not to be at the expense of
addressing more ‘traditional’ risks”.
One chairman suggests that an essential requirement of good corporate
governance is that effective risk management systems are embedded in the
business with management tools which have a clear line of sight, through risk
and responsibility and right up to the board room. Then agendas, be they group,
divisional or business streams, will be driven accordingly.
OVERCOMING ‘GROUP THINK’, A LACK OF CRITICAL DEBATE OR DOMINATION BY CERTAIN INDIVIDUALS“An effective board should not necessarily be a comfortable place. Challenge, aswell as teamwork, is an essential feature. Diversity in board composition is animportant driver of a board’s effectiveness, creating the breadth of perspectiveamong directors, and breaking down a tendency towards ‘group think’.”Guidance on Board Effectiveness, FRC, March 2011
A climate of openness and respect is a prerequisite for a high quality of debate.
The chairman will usually take the lead in encouraging awareness of the diversity
and range of skill in the room and for individuals to stay open to others’
perspectives. High quality debate requires everyone to have a chance to speak
and to feel able to challenge conventional wisdom.
Occasionally people may say outrageous things and that has to be taken on its
56
THE BOARDROOM CONVERSATION
merits. What needs to be guarded against is that no-one should feel intimidated;
no individual or clique should start to dominate the agenda nor should
individuals stop listening – good debate requires participation rather than
nodding heads, collaboration but not collusion.
Ensuring that the board and the committees of the board are refreshed
regularly is a way to guard against ‘group think’ and the domination of a
particular group or groups in decision taking. Refreshing the board also helps to
avoid complacency or the situation where too much reliance is placed on
particular individuals. When a NED makes a valuable contribution over a number
of years, it can be difficult to decide on an appropriate date for retirement.
HOW TO DEAL WITH BOARDROOM CONFLICTS OR DIFFICULT SITUATIONS“If you set the right climate, you get great people. With great people comes greatchemistry – people willing to say what they think; making added valuecontributions in an atmosphere where executives feel supported whereappropriate, and challenged when necessary.“If you get self-seeking, power hungry egotistical non-executive directors
who are there to promote themselves and prove something to the outside world,it becomes adversarial and dysfunctional.”Sir Roger Carr, Chairman of Centrica plc and President of the CBI
Board preparedness and clarity of function and roles can help reduce the
likelihood of conflict but is unlikely to prevent it completely. When the issue is
inter-personal, the influence of the chairman is significant in guiding –
sometimes coaching – individuals to understand their role on the board and the
impact of certain behaviours. The process of regular board evaluation is a helpful
process by which to identify and address such issues. If the chairman is seen as
part of the problem then the SID would be expected to manage the situation.
Sometimes there will be conflicts of interest that need to be aired and
addressed. An example of this might be involvement with a stakeholder with
some commercial or other link to the company, such as a customer, supplier or
trade organisation.
57
THE BOARDROOM CONVERSATION
In any board conversation, it is incumbent upon directors: to be well prepared
and clear on the purpose of the agenda; to stay with the evidence and notice
assumptions that are being made or when issues become personal; and to notice
how they and others react when being challenged or when their views seem to be
unappreciated or ignored.
Whilst not avoiding the courageous conversations and risking constructive
conflict, it is also important to gauge when a particular interaction is getting
stuck or into a downward spiral that is better curtailed and taken off-line.
THE ROLE OF THE SENIOR INDEPENDENT DIRECTORThe role of the senior independent director (SID) has increased in importance in
recent years, particularly in a corporate crisis when both chairman and chief
executive come under fire from various stakeholders.
The role of the SID is also important at other times of corporate uncertainty,
for example, if there is a major conflict between the chairman and chief executive
or if other directors or stakeholders believe that the chairman or chief executive
is not addressing their interests.
In normal times, the SID is valued as a highly independent and experienced
director who acts as a sounding board for the chairman and leads the evaluation
of the chairman on behalf of the other directors. The SID can also play an
important role in helping new NEDs settle in and find their place on the board,
and acts as a conduit between NED and chairman. They will demonstrate the
characteristics expected of an effective board member and, to that extent, will
contribute significantly to the quality and tone of board conversations.
WHEN AND HOW TO RESIGN FROM THE BOARDOccasionally, there are circumstances when a director or directors will consider
resignation from the board.
The reasons behind such a choice can vary significantly. It may be that there is
an overly dominant individual, or group of individuals, on the board who is
driving an agenda that raises serious issues of accountability or good corporate
governance. Or an individual director may find that circumstances have changed
so that they feel unable to devote the time or feel that they can make a valued
58
THE BOARDROOM CONVERSATION
contribution to warrant their continuing membership of the board.
In the latter case, it would be important to talk to other directors, including
the chairman and possibly the SID to discuss the situation. Regular board
evaluations can help to provide some context and independent feedback to more
accurately assess the individual as a vital tool as well as to assess the collective
value of members of the board. By aiming to have a diverse board, it is inevitable
that people will bring a different mix of experience and expertise that will be
called upon in different ways, depending on the critical issues that the board is
addressing. The UK Corporate Governance Code encourages board members to
continue a process of self-development and to up their skills in some important
areas. It may be that this is a process of ongoing learning and that with practice
and support, directors can become increasingly effective. Or the conclusion may
be reached that it would be appropriate for a director to resign.
The process of election and re-election to the board is critical in ensuring that
boards are continuously re-invigorated, so it should be part of the ongoing
management of a board to actively
monitor and manage both the
recruitment and retirement of
board members.
In the case where a director feels
compelled to consider resignation
on the basis of principle then the
circumstances are more sensitive
and complex. The first step for a director is to take as detached a perspective as
possible about the situation and to be as clear and precise about the grounds for
possible resignation. The board’s role is to challenge and support and, if there
has been vigorous and open discussion, there will be occasions when individual
directors will pragmatically support a decision that they argued against. At other
times, it might be an issue of principle that is so important to them that the only
way they can register their opposition is through resignation. In such
circumstances a careful conversation with the chairman would be essential.
If a director or directors have concerns about the chairman or they or
shareholders express concerns that are not being addressed by the chairman or
59
THE BOARDROOM CONVERSATION
If there has beenvigorous discussion,there will be occasionswhen directors willpragmatically support adecision that theyargued against
60
THE BOARDROOM CONVERSATION
the chief executive then the role of the SID becomes pivotal and he is expected to
work with the chairman and other directors to resolve significant issues.
KEY ACTIONS FOR BOARD MEMBERS■ Ensure a clear and shared understanding of the board's purpose, function
and individual and collective roles and responsibilities;
■ Leverage the full range of experience and knowledge available and ensure
that all voices are heard;
■ Engage in vigorous discussion, constructive challenge and support in a
climate of openness and respect;
■ Commit to an ongoing process that deepens your understanding of the
organisation, including its risk profile.
CONTRIBUTORSAlison Hogan is Managing Partner of Anchor Partners, a consultancy specialising in
boardroom behaviours and leadership development. She is a Fellow of the University
of Exeter Business School’s Centre for Leadership Studies. With support from Ronny
Vansteenkiste, Senior Vice President and Group Head Talent Management &
Organisation Development at Willis Group.
Organisations may expect their good reputation to last indefinitely, but this is adangerous assumption, particularly with the advent of social media.
Maclaren, a Northamptonshire-based pushchair manufacturer, was a successfulexporter and an iconic brand in the eyes of mothers when, in 2009, it reacted to reportsof child “finger amputations”, involving pushchairs in the US, with a major product recallthere. But the company was then perceived not to have applied a similar standard ofpost-event action in UK and Europe. The result was damage to its brand.
This was a product problem where the company took advice and followed standardpractice, yet rapidly discovered that its response was insufficient to satisfy publicconcerns. The role of mumsnet.com in this case is particularly interesting. Maclaren hadpreviously benefited from glowing testimonials about its products on the site, but itbecame a rapid, targeted and influential channel for complaints after the crisis struck.
CONVERSATIONS THAT CAN WRECK REPUTATIONS
61
INFORMATION AND THE BOARD
David Jackson, Company Secretary, BPprovides a personal view
SNAPSHOT■ The board needs various types of information to oversee risk and should define
information flows from management.■ There are dangers in a ‘passive’ board approach, whereby key information remains
unknown to the board. ■ The board should interact with key employees. This can be done through
committees, without undermining management.■ The company secretary has a key role in facilitating information flows to the board,
particularly the chairman and non-executive directors.
THE ROLE OF THE BOARDThe board’s principal tasks are to determine the company’s strategy and to
oversee its implementation and the performance of the company generally. To
do this the board and its members need to decide exactly what their own roles are
and, as a result, what information they need to carry out those tasks. This is a
conversation that the chairman should lead with all the directors, conscious that
any board oversight needs to be risk-based and risk-focused.
The board should decide which tasks it will take on itself and which it will
delegate to committees. Most boards have audit, remuneration and nomination
committees, as identified in the Corporate Governance Code. But risk oversight
can sometimes be split between financial and non-financial. So boards also set
up other committees. BP, for example, has a ‘Safety, Ethics and Environmental
Assurance Committee’; others have a corporate responsibility committee.
Business is all about risk and boards are not in the business of eliminating risk.
As other chapters have pointed out, their role is to understand the risks that are
being taken, define what the company’s risk appetite is and set out a clear
governance system for risk. This will involve the implementation of various
CHAPTER 9
62
policies and procedures. The executive team then deals with the day-to-day
management of risk. In this sense it is misleading to talk about boards
‘managing’ risk. Rather, they ‘govern’ risk. The difference may sound semantic,
but these are two distinct tasks.
Risk has really shot up the corporate agenda. There is now a requirement for
those who either invest in the business or deal with it, to understand how the
business approaches risk in a systematic way.
THREE LEVELS OF RISKIt is often said that businesses face three types of risk. There is the risk to the
company’s strategy and plan being delivered. Boards are generally good at
dealing with this. The plan is central to the company, the board is familiar with it
and it often plays out over a set timescale. The executive will readily manage new
risks that emerge around the plan. The board needs to make sure that the
business has the systems to make sure it succeeds for that year and subsequently.
There are the broader risks to the business from externalities, for example,
from the global economic environment or from the way the Euro-crisis is
heading. Boards can be less good at spending the right amount of time on these
risks, as the executives can be inclined to say, “We’ve got our plan and we’re
going to go down that route regardless”. This is where the NEDs add value, by
using their wide experience to question and challenge, to ensure that the board
addresses these issues.
Finally, the board needs to raise questions around what are often seen as the
softer issues such as capability, or succession. The board should prioritise
questions such as, “Have we got the right technology for the future?” or “What
happens if the chief executive goes
under a bus?” If the board is to be
the ‘sustainable steward’ of the
company, it needs to find a way of
raising these key issues with the
executives and drawing any relevant
information from them. These are
all risks to the business.
INFORMATION AND THE BOARD
If the board is to be the‘sustainable steward’ ofthe company, it needs tofind a way of raising keyissues with executivesand drawing relevantinformation from them
In ensuring that these latter two levels of risks are considered and addressed,
the board uses what are often called its ‘initiation rights’. Rather than the
executive presenting issues for the board to consider, this is the board taking a
proactive role in setting the agenda. This is where the company secretary, acting
on behalf of the board, is the person who has to go out and, working with the
chairman and chief executive, make sure that it happens.
WHAT INFORMATION DOES A BOARD NEED TO OVERSEE RISK?The challenge for some businesses has been to answer questions such as: “What
processes do we have to address all these risks?”, “How do we deal with this in a
systematic way that we can describe to our shareholders and others so that we
have their confidence?” Previously, managements got on with running their
business; they did evaluate and assess risk, but did not have to articulate how
they managed those risks systematically.
First, there’s a whole area of compliance risk. Does the company have a set of
central policies and procedures that govern things like environmental issues,
health and safety etc? How does the board have oversight over these?
With regard to capital expenditure does the company have a procedure for
evaluating the risks around a particular project? There could be financial,
currency, environmental, safety or geopolitical risks involved. What is the
procedure for taking those decisions and what visibility does the board have of
those procedures?
In general, the board will delegate a certain amount of authority to the chief
executive simply to get on and run the business, but it will also set financial
measures – or some other criteria – to define certain issues that should be
brought before it for discussion. It is important for the board to understand the
sort of information that the chief executive and his executive team are using in
evaluating those risks and taking their decisions on a day-to-day basis. It needs
to look at the business ‘through the eyes of the executive’ and should be relying
on the same information that is being used in the business (albeit, usually in an
abbreviated form).
The board must then consider if it is satisfied with that sort of information. It
is here that the NEDs need to be assertive in asking for more or less information.
63
INFORMATION AND THE BOARD
Much depends on the character of the NEDs – and whether they are good at being
‘non-executive’. There is sometimes a desire on the part of those who are former
executives (or who have been executives elsewhere) to get too closely involved,
which is not helpful. Their job is not to second-guess executive decisions, but to
challenge them constructively.
The board needs to have the necessary information to be able to challenge
effectively and carry out its other tasks – and it must never compromise on that.
At the same time, however, NEDs must take a careful, considered approach to
requesting information, or they risk setting organisations off on all sorts of
unnecessary work that is a waste of management time and a distraction from the
real issues. The emphasis is on the NEDs to be aware of the effects that their
requests for information can have, and to ask only for relevant information.
THE DANGERS OF A ‘PASSIVE’ BOARD APPROACHIf a board is too passive, there is a danger of creating a ‘glass ceiling’, whereby key
risk information exists at management level, but is not known to the board. This
is where having an understanding of the business is important, as is being
systematic about what they do. In identifying these risks, it is important to have
both a ‘bottom up’ and a ‘top down’ approach.
From the bottom up, you need to have a system that is put in place by the
executive so that individual business units or subsidiaries identify their own
business risks and what they are going to do about them. That is just good
management. How those risks are then aggregated to become ‘group level risks’
is an issue that the executive management needs to discuss with the board.
From the top down, the board will put forward a list of the risks that it
perceives could be a potential threat to the business. There should be a
discussion about whether the right issues are on the list and then about how the
board plans to have oversight or monitoring of those risks. The executive will
deal with many of them. If they are financial in nature, it is usual for them to go to
the audit committee; others may go to the corporate responsibility committee.
In this way, the board delegates the oversight of those risks to smaller groups of
NEDs. But some, such as reputation risk, may rest with the board as a whole.
At times, there may be a need for board interaction with key employees,
64
INFORMATION AND THE BOARD
particularly those working in risk management, internal audit or compliance
functions. This can be achieved without undermining management through
systematic use of committees – at least in large organisations, where resources
are available. Committees enable a wider range of people to contribute. At BP, for
example, we consider it good practice now for internal auditors to come along to
both the internal audit committee meetings and the corporate responsibility
committee meetings. We also bring in compliance officers, safety experts or
whoever else is thought necessary to discharge the committee’s duties.
The committee system enables separate groups of directors to get into the
next level of detail down, to make sure that internal controls are working and
that risks are being properly managed – and they report back to the board. It also
frees up the board to do what it ought to be doing, which is acting strategically.
IDENTIFYING EXTERNAL SOURCES OF INFORMATIONDepending on the nature of the risk, it may be wise to supplement internal
perspectives with external views – to avoid the danger of relying exclusively on
management information. Most obviously, the audit firm and legal firm will be
able to talk about compliance and regulatory risk. If there is a concern about, say,
geopolitical risk, advice may be sought from appropriate authorities or experts.
Such external views are important and are part of a matrix of information that
gets put together to decide whether a particular risk is worth taking.
One shouldn’t forget, of course, that the NEDs themselves are an external
source of information about risk. There is a need for the board and the chairman
to make sure that the skills around the board table are used effectively to
challenge and support management to deliver its strategy.
INFORMATION OVERLOADLooking to the future, companies and society generate ever more information,
which presents a number of different challenges in terms of quality, quantity,
relevance, timeliness, and even delivery (should the board have ipads or should
board papers be uploaded to an ‘e-room’?). Most of these challenges can be
controlled, but it requires discipline – and a clear understanding between the
chairman and chief executive as to how they want matters to be dealt with.
65
INFORMATION AND THE BOARD
Boards can easily fall into the trap of filling their meetings with paper – and
‘death by Powerpoint’ – resulting in too little time for real debate and too little
challenge. The key for board members is to be able to understand what they are
being asked for each agenda item. They need the right amount of information (a
longer paper is not necessarily a better paper) ahead of time. There needs to be
that level of discipline, therefore, so the board can get straight on with the
conversation and the NEDs feel empowered to get into the debate. Information
should enable a discussion, not be an obstacle to one.
SUPPORTING THE BOARDTo conclude, the board must make sure that it gets the right information about
the right issues at the right time – and it generally falls to the company secretary
to implement a sensible system for ensuring that this happens.
It is a role that is being increasingly recognised. In his recent report on banks
and financial institutions, Sir David Walker commented on the importance of
NEDs and the chairman – given the constraints on their time – having the
support they need to carry out their responsibilities. The most recent version of
the UK Corporate Governance Code echoes his point (see page 24).
KEY ACTIONS FOR BOARD MEMBERS■ Board members should, under the chairman’s direction, review the tasks of
the board and ensure it is focusing on the right tasks in the right way;
■ They should ensure that their initiation rights are protected;
■ They should ensure that the experience of the NEDs is used in discussing all
aspects of risk;
■ They should align the board’s oversight of risk with the strategy.
CONTRIBUTORDavid Jackson has been Company Secretary of BP since 2003, before which he was
General Counsel and Company Secretary at PowerGen. Prior to this, he held a
number of legal positions with Matthew Hall, AMEC, Chloride Group, Nestle UK and
Barlow Lyde & Gilbert. He is also a director of BP Pension Trustees Ltd.
66
INFORMATION AND THE BOARD
67
INTERACTION WITHSHAREHOLDERS
David Pitt-Watson, Chair, Hermes Focus Asset Management
SNAPSHOT■ Shareholders want to maximise returns but limit their risk. They put their trust in
companies they invest in to manage that risk as effectively as possible.■ Well-managed communication with shareholders will help investors understand
the nature of risks your company faces.
A POSITION OF TRUSTThe directors are fiduciaries; that is they bound in law to promote the company’s
interest, not their own, and to do so for the benefit of the shareholders as a
whole, after paying regard to the implications for other stakeholders.
For most of our large companies, the shareholders are a very different group of
people to the directors. Therefore for the system to work, shareholders need to
know that those they employ work on their behalf.
Typically a shareholder wishes to maximise their returns, but minimise their
risk. That is the skill they will seek from the management of their company; not
that they avoid risk, but that they manage it. That is no trivial task, and it
requires a mixture of skills: industry knowledge, strategy, management of people
and organisations, finance and so on.
The legal institutions through which we run this system are there to help
manage this risk/return trade-off. That is why we have limited liability
companies: so that shareholders can limit their risk. It is why we have investment
funds, so that people can diversify their savings. It is why we have stock markets,
so that those who wish to take big risks (albeit with commensurately high enough
returns) can raise the money to do so.
In practice though, it raises a number of questions. The first is, “Who are the
shareholders?” Most people think of shareholders as large investment
institutions, or sovereign wealth or hedge funds. But in fact these institutions are
themselves fiduciaries for other peoples’ savings. Their aim should be to look
CHAPTER 10
68
after the interests of the many hundreds of millions of people around the world
who are the beneficial owners of the shares in British companies.
So what sort of risk/return disciplines will those millions of people want?
Well, they will want to know that the company only invests where it can beat its
cost of capital; otherwise their money would be better to have cash returned to
them. They would want an efficient capital structure. They would want to know
that the company fully understood its strategic advantage and was exploiting it
to the full. They would want the company to manage its relations with
stakeholders well, not least because stakeholders and beneficial shareholders
often end up being the same. And since they are diversified investors they will
not wish to encourage behaviour that damages the economic system as a whole.
Note that these are the necessary goals of a public company, which has many
owners. They may not be the goals of a private company. In the rest of this
chapter, we will look primarily at risk as it relates to public companies; those
directors who manage on behalf of a small group of investors should, of course,
consult them as to whether these general observations hold true for them.
MANAGING RISKShareholders will be interested in two types of risk management. The first is to
know that controls are in place to ensure that those things that can be managed,
are managed. The second is that the directors understand the level of risk that
they are taking; that that risk is in the shareholder interest and has been well
communicated. Let us look at each in turn.
Type A – operational controlsA company should always take measures to ensure that its control systems are
adequate: that it is not open to fraud or misappropriation; that it is acting within
the letter and spirit of the law. Note that these are different from the risks that a
company chooses to take, what it might call its risk appetite. For example the
recent BP oil spill was not part of a ‘risk appetite’; it was a system failure that
simply should not have happened. Directors should always be satisfied that such
controls are in place, and shareholders will expect them to have sought such
assurance. Indeed, any material breach in such systems, together with the
INTERACTION WITH SHAREHOLDERS
remedial action that is being taken, should be disclosed to shareholders.
Directors should also be happy that adequate processes are in place to ensure
the risk return disciplines mentioned above are in place. So does the company
know it is beating its cost of capital? Can it articulate, and is it exploiting, its
strategic advantages to the full? Is it
aware and is it managing its social
and environmental risks?
Type B – risk appetiteA rather more complex area is the
risk that the company itself chooses
to take on. We might divide these
into two: financial and strategic. In both cases, shareholders are likely to be
happy to take on some element of risk, but they will always want to know that the
risk is managed down to the minimum appropriate level.
As regards, financial risk, directors should be particularly careful in
understanding the shareholders’ perspective, and that the company does not
replicate the job of the financial markets. For example, an individual whose
entire assets are tied up in one company may wish to see it diversify into different
business areas. This makes no sense for a diversified shareholder such as a
pension fund beneficiary, who has hired an investment manager to do precisely
that. A similar observation would apply to holding of cash on the balance sheet.
As regards strategic risk, public companies should be clear about the risks they
are taking. These can be very high, for example in the case of a drug development
company, or very low as in the case of a water utility firm. Shareholders are
willing to accept both, provided that they are well managed. They will expect
directors to be able to communicate this to them in an organised fashion.
Directors should be clear what the ‘known unknowns’ are. Shareholders will have
less patience with ‘unknown unknowns’, or worse still ‘unknown knowns’.
SAFEGUARDING COMPANY INTERESTSCommunicating such risks does not mean that companies need to offer a running
commentary on prospects. Indeed they will find themselves in trouble if they do.
69
INTERACTION WITH SHAREHOLDERS
Shareholders are likelyto be happy to take onsome element of risk,but they will want toknow that the risk ismanaged down to theappropriate level
As noted before, most of the fund managers who control company shares are not
the ‘owners’ of the shares. They have been hired to hold or trade the shares. If a
company makes many unexpected announcements about events that have or
might come to pass, it must expect that it will lead to a flurry of buying and
selling of its stock; but it is not in the long-term interests of the company itself.
Indeed, companies should be careful that they do not interpret the demands
of those who buy and sell shares as necessarily being in the interests of the
company. So, for example, banks that over extended themselves prior to the 2008
crisis have subsequently claimed that shareholders wanted them to do so. But
these could not have been the beneficial shareholders. They lost out, not only in
the value of their bank shares but also in the rest of their portfolio.
And, in extremis, directors need
to look beyond the shareholder
interest. Risks should not be taken,
even if they are in the shareholder
interest, if this means that there is
the likelihood that the company is
no longer a going concern, and so
may not be able to able to pay its
debts as they fall due. That would be to abuse the very institution of the limited
company. Directors of highly geared entities should pay particular regard to this,
and should make sure that the recent change in accounting principles (from
‘prudence’ in valuation, to neutrality), has not allowed them to gain a false
impression of the risks being taken by the company.
COMMUNICATIONAll of this argues for clear, open, honest and controlled communication with
shareholders. This must be with all shareholders equally, to avoid one being
given insider knowledge. Too often, companies see this communication as one
way. But it is perfectly legitimate for directors to ask fund managers about their
own clients, investment strategy, their own risk tolerance, and how it might
develop over time. Ideally, your investors should be those who understand and
are capable of carrying the well-judged and managed risks your company takes.
70
INTERACTION WITH SHAREHOLDERS
Communicating risk toshareholders can seemdaunting, but directorsmight best see it as achallenge to be clearabout how they managethe company
But always be on top of the message. Remember that sell side brokers, rather
like journalists, are always looking for a ‘story’, and fund managers are all too
ready to hear one. But it is the directors who manage the company and should be
able to explain risks, to assess their significance and to calm fears when
necessary. Your best ally in avoiding panic stories about risk is your own
management, and its ability before the event to have helped investors
understand the nature of the risks the company faces.
This communication is largely down to the reports and announcements that
the company makes and to the chief executive and the finance director as they
visit the shareholders. They should be well prepared for questions, and be clear
with their broker on the line they will take. They should be sure that, on leaving a
meeting, they have asked whether there are any further issues of concern. And
best practice might be to send the chairman round to discuss these issues with
fund managers afterwards to try and make sure that all investor concerns have
surfaced. Other directors should also be willing to talk to shareholders, if asked.
The reporting cycle and announcements to the Stock Exchange should help
regularise this process. But think through how and what risks need to be
communicated. Do not encourage excessive optimism or pessimism about
prospects, which simply creates a new risk when expectations are not met.
BE CLEAR ABOUT RISKCommunicating risk to shareholders can seem daunting, but directors might best
see it as a challenge to be clear about how they manage the company. And the
only safe perspective is to remember the fiduciary role of the director to act in the
interests of the company for the long-term benefit of all the shareholders after
having given due consideration to the effect on other stakeholders.
KEY ACTIONS FOR BOARD MEMBERS■ Keep a log of the key risks that might affect the company. At the end of
every board meeting, consider whether they have been well discussed.
Be prepared to have a word with the chairman about issues that need to be
put on the agenda;
■ How do you know about the risks? Beside the list of risks think about how
71
INTERACTION WITH SHAREHOLDERS
INTERACTION WITH SHAREHOLDERS
Risks change over time. The change is not always significant, but sometimes it canbecome important. When the shift is sudden, it will often be spotted, but when a gradualchange accumulates over years, it is more likely to be overlooked. A number of casessuggest a failure to recognise change in the risk environment:■ The site of the Buncefield fuel storage depot, destroyed by explosion and fire in2005, was originally surrounded by fields, but a large industrial estate employing morethan 15,000 people later grew up around it. This dramatically changed the risk, but it isfar from clear whether Hertfordshire Oil Storage Limited (HOSL), the operator of thepart of the site where the explosion occurred, responded to the change.■ Attitudes to Railtrack changed as it suffered a series of fatal rail crashes, includingSouthall in 1997 and Ladbroke Grove in 1999, which appalled the public. These set anincreasingly bad ‘back-story’ against which future failures would be set, but theRailtrack board did not seem to recognise the importance of this deterioration.■ When Firestone came to face a major tyre recall in 2000, it too had grown a ‘back-story’ from an earlier recall in 1978, in the course of which it had emerged that thecompany had been aware of tyre defects as early as 1972. But its approach in 2000seems not to have recognised the earlier events, even though the 1978 recall hadbecome a textbook case study of ‘how not to do things’, widely used in business schools.
RECOGNISING CHANGE IN THE RISK ENVIRONMENT
you could learn more: a walk around the factory? Talking to customers?
Having a meeting with the auditors?
■ Have you visited any shareholder representatives? Every now and then, ask
to see the investors. What do they think about risk? Is their list the same as
yours? If not, how can you better communicate as a board?
■ Managing risk is not an outcome, it is a process. Be patient and persistent.
CONTRIBUTORDavid Pitt-Watson is Chair of Hermes Focus Asset Management. He is the author of
The Hermes Principles, which lays out the expectations of Hermes of the companies
in which it invests, and co-author of The New Capitalists, which describes how
structures of corporate governance can help ensure companies work in the interest of
the millions of individuals who own their shares.
72
73
THE PERSONAL RISKSFACING DIRECTORS
Grant Merrill, Chief Underwriting Officer, Commercial Institutions, Financial Lines, Chartis
SNAPSHOT■ As well as managing business risks, board members should also consider the risks they face in a personal capacity.
■ Exposure to both monetary and non-monetary relief is increasing for directors and officers (D&Os), as regulators and shareholders look to hold individuals personally liable.
■ Pitfalls come in a variety of forms and the cost of defending claims is rising exponentially. Safeguards and insurance offer essential protection.
IN THE LINE OF FIREThe global financial crisis, economic uncertainty and financial scandals have
changed the world. Regulators, shareholders and the public will not tolerate any
repetition of the sins of the past – and their focus is squarely on business leaders.
Investigations and litigation are not the only risks directors and officers (D&O)
face, as an ignominious departure and reputation loss can also have a huge impact.
Investigations and litigation are, however, an ever-greater threat. The
number of claims brought against directors in Europe in 2010 was 20% above
2009 levels, with the frequency of claims against executives of private companies
now higher than for listed companies. For example, Chartis notifications against
executives of private companies in continental Europe represented 56% of D&O
claims in 2010, up from 22% in 2008.
Monetary relief imposed on D&Os includes settlements, judgements and
fines, while non-monetary relief includes disqualification and imprisonment, as
well as enforced changes to boards and organisational strategies. Another risk,
when crimes are committed abroad, is extradition to face justice in a less friendly
jurisdiction – as highlighted in the press by the high profile extraditions to the
US of the ‘NatWest Three’ and UK businessman, Christopher Tappin.
CHAPTER 11
74
There is a distinct trend towards the ‘personalisation’ of claims, with
individual D&Os increasingly being named either as sole defendants or as co-
defendants alongside their company. The amount of fines assessed against
individuals by the UK’s Financial Services Association (FSA) increased by 47% in
2011 compared with 2010, whereas there was a slight dip in corporate fines.
CAUSES OF CLAIMSIncreased regulation and enforcement activity are leading to more
investigations. The UK’s Serious Fraud Office (SFO) handled in excess of 100
cases in 2011 compared to 50 in 2006.
The UK regulatory environment is currently in transition, but this trend seems
unlikely to change. 2012 sees the creation of three new regulatory authorities:
the Financial Policy Committee will regulate the UK’s financial systems as a
whole; the Prudential Regulation Committee will oversee financial institutions
that carry significant risks on their balance sheets, and the Financial Conduct
Authority, the successor to the FSA, has a core purpose of protecting and
enhancing the confidence of all consumers of financial services.
It is not unusual also, to see co-operation between governmental bodies such
as the FSA and the US’s Securities & Exchange Commission (SEC), or the SFO and
the US Department of Justice (DOJ). As cross-border cooperation between
international securities regulators becomes commonplace it adds a heightened
exposure for multinational companies.
The dynamics driving investigations are also changing, as whistleblowing and
self-reporting are encouraged, allowing regulators to allocate resources more
efficiently. These activities are also incentivised by the prospect of amnesty or
lesser sanctions, while reluctance to cooperate could be viewed as hostile.
Alongside tougher regulation, shareholders are focused on improving
governance, as illustrated by a higher volume of motions at annual general
meetings. Governance reform is leading to more transparency and creating a
higher fiduciary duty to shareholders for D&Os. Shareholders are looking to hold
individuals accountable through derivative actions, including for example, for
losses suffered as a result of misrepresentations to financial markets.
Although making misrepresentations to markets with regard to their shares is
THE PERSONAL RISKS FACING DIRECTORS
not a concern for private companies, they are affected just as much as their
publicly quoted counterparts by the increased focus on ethical business conduct
and greater corporate transparency. They are exposed on a daily basis to claims
relating to health and safety, employment practices and the environment,
among other areas. Many claims are against the company, with a director or
officer named as a co-defendant. Common areas of claims activity include:
■ Health and safety– The primary piece of legislation covering
occupational health and safety in the UK is the Health and Safety at Work
Act 1974. Under the Act, directors and managers can face personal liability
if they consented to a breach, turned a blind eye or neglected their duties.
The UK Corporate Manslaughter and Corporate Homicide Act 2007 enables
the prosecution of larger organisations, in the public and private sector,
where a corporate management failing has led to a death.
■ Mergers and acquisitions– Much claims activity surrounds M&A, with the
most common allegation being unfair treatment or valuation in a sale,
acquisition or merger.
■ Accounting irregularities– These are always a driver of D&O claims as
stakeholders, including investors, lenders and other creditors and
suppliers, all rely on the company’s financial statements.
■ Competition law– The Enterprise Act 2002 criminalised cartel activity and
empowered the Office of Fair Trading to investigate anti-competitive
activities in the UK, such as price-fixing, bid-rigging and market sharing.
■ Breach of fiduciary duty– On the civil side, there has been a rise in cases brought by stakeholders related to breach of fiduciary duty resulting in
financial loss. In particular, the recent macro-economic slowdown is
increasing the number of bankruptcy claims, as companies struggle with
stressed capital structures and a lack of liquidity. Accompanying
allegations of asset stripping are common in bankruptcies of subsidiaries
and tend to be against individual D&Os, as stakeholders allege the parent
company profited at the expense of the subsidiary. The number of directors
reported for alleged misconduct by insolvency practitioners in the UK in
2010 was 7,030 compared to 3,539 in 2002.
75
THE PERSONAL RISKS FACING DIRECTORS
The introduction of new legislation, along with more rigorous enforcement of
existing laws, threatens to put the actions of board members under even more
intense scrutiny in the future:
■ The Bribery Act, in force since July 2011, has made companies liable for
failure to prevent bribery within their organisation. A company will be held
liable regarding a failure to prevent bribery unless it can demonstrate that
it has taken all possible measures to prevent it. Directors can be guilty if
they consent to or ignore bribery on the company’s behalf by an employee
or agent. Essentially the onus of guilt has shifted, with the burden being
placed on boards to prove no wrongdoing has taken place.
A secondary consequence of the Act is the greater access to individuals and
companies it provides the SFO. The Act has extensive territorial scope as it
applies not just to UK incorporated entities, but also to any multinational
conducting business in the UK.
■ The Dodd-Frank Wall Street Reform and Consumer Protection Actof 2010 in the US has given the SEC new powers to pursue financial fraud and
ensure US markets are safe for investors. It includes a controversial
whistleblower provision that encourages the reporting of securities
violations and rewards the whistleblower with up to 30% of funds
recovered. This alone could be a significant driver of new investigations.
■ The Foreign Corrupt Practices Act (FCPA) of 1977, also in the US, has dramatically increased enforcement activity in recent years, with fines
becoming more substantial, in the hundreds of millions of dollars.
CHANGING DYNAMICSFor insurers, US securities claims against foreign issuers are currently the biggest
loss driver, but the dynamics are changing with a rise in non-US securities
actions anticipated. This follows a US Supreme Court decision in the case of
Morrison v National Australia Bank in 2010. The judgement dramatically limited
the extraterritorial application of US securities laws, not only barring plaintiffs
from asserting claims in the US over a multinational company traded on a non-
US exchange, but also limiting the extent to which claims can be made involving
76
THE PERSONAL RISKS FACING DIRECTORS
non-exchange based securities transactions. Plaintiff attorneys are likely to find
other venues to bring these cases, not least in the UK and Europe where litigation
funding is becoming more prevalent.
Specifically in the UK, claims related to securities fraud can be made under
common law principles (for example, fraud, deceit, or negligent
misrepresentation), or under the Financial Services Market Act of 2000 (for
liability relating to statements made in a prospectus). Under these provisions,
claims can be pursued in a
‘representative action’, where
one representative claimant or
defendant acts on behalf of a class of
individuals. The increased use of
litigation funding in the UK may also
make securities class action claims
more viable.
Shareholders are permitted to bring derivative suits for director negligence,
breach of duty or breach of trust under the UK Companies Act 2006.
SAFEGUARDS ARE KEYNot only is D&O exposure increasing, but the cost of responding to
investigations and defending claims is rising exponentially, both for the
company and the individual. Potential conflicts are leading to separate legal
counsel for individual defendants, adding to costs.
D&O insurance is a key safeguard. Insurers offer specific coverage to address
the needs of individual board members, most importantly protecting their
personal assets. Key areas of insurance cover available to individuals include:
■ Special excess protection for non-executive directors;
■ Lifetime run-off for retired insured persons;
■ Investigation cover with respect to insured persons;
■ Extradition cover;
■ Environmental cover;
■ Public relations cover to mitigate effects on an individual’s reputation.
77
THE PERSONAL RISKS FACING DIRECTORS
The cost of responding to investigations anddefending claims isrising exponentially,both for the companyand the individual
In today’s global business environment, compliance is critical – and often
requires local representation. If polices are not purchased locally a claim may not
be paid, so the services of an insurer with a global footprint and multinational
capabilities are often essential.
No D&O policy will give complete protection: for example, none will cover
criminal fines and penalties or amounts uninsurable by law. Prevention is better
than cure, but controls and a robust governance structure do not guarantee
protection either. Bad things can still happen to good people. When it comes to
criminal or regulatory investigations and prosecution, a powerful defence may
be expensive, but it is critical.
KEY ACTIONS FOR BOARD MEMBERS■ The first step is to understand where personal risks lie;
■ Seek timely advice on avoiding or mitigating those risks;
■ Take out comprehensive D&O cover from a reputable insurer with the
claims and litigation management capabilities needed in today’s complex
environment;
■ Be proactive when an issue arises.
78
THE PERSONAL RISKS FACING DIRECTORS
79
THE FINAL WORD
John Hurrell, Chief Executive, Airmic
A ROBUST APPROACHThis Director’s Guide has highlighted several major corporate crises of the last
decade. They serve as a salutary warning to board members: get the oversight of
business risks wrong and you are just one step away from disaster.
But there is no reason for board members to get things so disastrously wrong.
The purpose of this publication is to help them achieve robust risk oversight,
whether their role is executive or non-executive, their organisation large or
small, UK-based or multinational, and regardless of its industry sector.
THE ISSUESThe first three chapters of the Guide have set out the board’s role in dealing with
business risk: business is inherently risky – without risk, there is no opportunity;
companies operate in a dangerous world, full of potential risks, from strategic to
operational, from financial to reputational; and it is the board’s main ongoing
task to perform risk oversight.
Board members must satisfy themselves that effective risk management is
being practised at all levels of their organisation. There will be tough challenges
in discharging this responsibility, including ensuring they have the ability to
understand key risks, creating the time necessary to debate properly, and having
the courage to stand up to management.
THE SOLUTIONSThe Guide’s expert authors have then explained how, with the right approach
from the board, most risks can be successfully managed and mitigated. It starts
by establishing the right corporate culture. As Professor Roger Steare points out,
“The mitigation of risk begins with a clear and deep understanding of human
behaviour in the workplace.”
CHAPTER 12
80
With the ethical and moral compass of the organisation set in the correct
direction, it is vital that any consideration of the risks within an organisation
takes place within the context of the strategy. As risk and strategy are highly
related, the challenge for boards is to align the risk and strategy discussion.
Alongside this, they must be able to define, articulate and implement a
framework that outlines the risks they are prepared to take and the limits they
are prepared to operate within. In the jargon, they must define their ‘risk
appetite and tolerance’. As Tom Teixeira puts it, “This approach acts like a car’s
brakes, allowing a business to move at speed, safely.”
Board composition and behaviours are critical: there must be the right
balance on the board between independence and expertise; the chairman must
strive to create a climate of openness; the relationship between the chairman
and CEO should work smoothly; but
at the same time, board members
must avoid ‘groupthink’, showing a
determination to stand up and
challenge the executives when it is
necessary to do so.
Board members should also be
assertive in defining information
flows from management. Again, there are dangers in being too passive, resulting
in key information remaining unknown to them.
Information overload can also be a problem. Boards must cut through excess
detail to focus on the real threats to their corporate reputation, as perceived by
all critical stakeholders, as these are the risks that can be terminal. Well-
managed communication with shareholders, who naturally want to maximise
returns but limit their risk, is especially important.
Finally, as well as overseeing business risk management, board members
should also consider the risks they face in a personal capacity. Pitfalls come in a
variety of forms and the cost of defending claims is rising alarmingly, so
measures to manage and mitigate the hazards are essential.
THE FINAL WORD
Board members mustsatisfy themselves that effective riskmanagement is beingpractised at all levels of their organisation
BUSINESS RISKA practical guide for board members
BUSINESS RISK
BUSINESS RISK: A PRACTICAL GUIDE FOR BOARD MEM
BERSA DIRECTOR’S GUIDE
A practical guide for board members
In a world of increasing complexity anduncertainty, the need for companies todevelop robust risk management strategiesis greater than ever. Yet many fail to do so,either because they are overwhelmed by thesize of the task or because they are ill-equipped to tackle it.
Responsibility for business risk oversight liessquarely with board members.
This guide will help directors – both executiveand non-executive, in large and smallcompanies – to develop an effective approachto managing business risk. Key topics itcovers include:
•The board’s distinctive role in risk oversight•Aligning risk management and strategy•Establishing risk appetite and tolerance•Board composition and behaviour•Interaction with stakeholders•Directors’ personal risks
This guide is part of the Director’s Guide series,published by the Institute of Directors,providing directors with clear, practical adviceon key business issues, with real life case studies.
£9.95
A DIRECTOR’S GUIDE
Risk Cover_v6_Layout 1 16/05/2012 12:00 Page 1